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Abstract 


The Incident Object Description Exchange Format (IODEF) defined in RFC 7970 provides an 
information model and a corresponding XML data model for exchanging incident and indicator 
information. This document gives implementers and operators an alternative format to 
exchange the same information by defining an alternative data model implementation in JSON 
and its encoding in Concise Binary Object Representation (CBOR). 
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Authors' Addresses 


1. Introduction 


The Incident Object Description Exchange Format (IODEF) [RFC7970] defines a data 
representation for security incident reports and indicators commonly exchanged by operational 
security teams. It facilitates the automated exchange of this information to enable mitigation and 
watch-and-warning. An information model using Unified Modeling Language (UML) is defined in 
Section 3 of [RFC7970] and a corresponding Extensible Markup Language (XML) schema data 
model is defined in Section 8 of [RFC7970]. This UML-based information model and XML-based 
data model are referred to as IODEF UML and IODEF XML, respectively, in this document. 


IODEF documents are structured and thus suitable for machine processing. They will streamline 
incident response operations. Another well-used and structured format that is suitable for 
machine processing is JavaScript Object Notation (JSON) [RFC8259]. To facilitate the automation 
of incident response operations, IODEF documents and implementations should support JSON 
representation and its encoding in Concise Binary Object Representation (CBOR) [RFC7049]. 


This document defines an alternate implementation of the IODEF UML information model by 
specifying a JSON data model using Concise Data Definition Language (CDDL) [RFC8610] and a 
JSON Schema [JSON-SCHEMA]. This JSON data model is referred to as IODEF JSON in this 
document. IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and 
Operators an alternative format to exchange the same information. 


The normative IODEF JSON data model is found in Section 6. Sections 2 and 3 describe the data 
types and elements of this data model. Section 4 provides examples. 


1.1. Requirements Language 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 


2. IODEF Data Types 
IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970]. 


2.1. Abstract Data Type to JSON Data Type Mapping 


IODEF JSON uses native and derived JSON data types. Table 1 describes the mapping between the 
abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF 
JSON. 
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IODEF Data Type 
INTEGER 
REAL 
CHARACTER 
STRING 

ML STRING 
BYTE 

BYTE[] 
HEXBIN 
HEXBIN[] 
ENUM 
DATETIME 
TIMEZONE 
PORTLIST 
POSTAL 
PHONE 
EMAIL 

URL 

ID 

IDREF 
SOFTWARE 
STRUCTUREDINFO 


EXTENSION 


JSON-IODEF 


Reference 

Section 2.1 of [RFC7970] 
Section 2.2 of [RFC7970] 
Section 2.3 of [RFC7970] 
Section 2.3 of [RFC7970] 
Section 2.4 of [RFC7970] 
Section 2.5.1 of [RFC7970] 
Section 2.5.1 of [RFC7970] 
Section 2.5.2 of [RFC7970] 
Section 2.5.2 of [RFC7970] 
Section 2.6 of [RFC7970] 
Section 2.7 of [RFC7970] 
Section 2.8 of [RFC7970] 
Section 2.9 of [RFC7970] 
Section 2.10 of [RFC7970] 
Section 2.11 of [RFC7970] 
Section 2.12 of [RFC7970] 
Section 2.13 of [RFC7970] 
Section 2.14 of [RFC7970] 
Section 2.14 of [RFC7970] 
Section 2.15 of [RFC7970] 
Section 4.4 of [RFC7203] 


Section 2.16 of [RFC7970] 


Table 1: JSON Data Types 
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JSON Data Type 
integer; see Section 2.2.1 
"number" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
see Section 2.2.2 

"string" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
see Section 2.2.3 

"string" per [RFC8259] 
"string" per [RFC8259] 


"string" per [RFC8259] 


ML STRING; see Section 2.2.2 


"string" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
"string" per [RFC8259] 
see Section 2.2.4 

see Section 2.2.5 


see Section 2.2.6 
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IODEF Data Type 
INTEGER 
REAL 
CHARACTER 
STRING 

ML STRING 
BYTE 

BYTE[] 
HEXBIN 
HEXBIN[] 
ENUM 
DATETIME 
TIMEZONE 
PORTLIST 
POSTAL 
PHONE 
EMAIL 

URL 

ID 

IDREF 
SOFTWARE 
STRUCTUREDINFO 


EXTENSION 


CBOR Data Type 
0, 1, 6 tag 2, 6 tag 3 
7 bits 26 

3 

3 

5 

6 tag 22 

6 tag 22 

6 tag 23 


6 tag 23 


6tag 0 


6 tag 32 
3 
3 
5 
5 


5 


Table 2: CBOR Data Types 
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JSON-IODEF 


CDDL Prelude [RFC8610] 

integer 

float32 

text 

text 

Maps/Structs (Section 3.5.1 of [RFC8610]) 
eb64legacy 

eb64legacy 

eb16 

eb16 

Choices (Section 2.2.2 of [RFC8610]) 
tdate 

text 

text 

ML STRING (Section 2.2.2) 

text 

text 

uri 

text 

text 

Maps/Structs (Section 3.5.1 of [RFC8610]) 
Maps/Structs (Section 3.5.1 of [RFC8610]) 


Maps/Structs (Section 3.5.1 of [RFC8610]) 
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2.2. Complex JSON Types 
2.2.1. Integer 


An integer is a subset of the "number" type of JSON, which represents signed digits encoded in 
Base 10. The definition of this integer is "[ minus ] int" per [RFC8259], Section 6. 
2.2.2. Multilingual Strings 


A string that needs to be represented in a human-readable language different from the default 
encoding of the document is represented in the information model by the ML STRING data type. 
This data type is implemented as either an object with "value", "lang", and "translation-id" 
elements or a text string as defined in Section 6. An example is shown below. 


"MLStringType": 4 


"value": "free-form text", 4 STRING 
slanga: Seni, # ENUM 
"translation-id": "jp2en0023" # STRING 


Note that in figures throughout this document, some supplementary information follows "#", but 
these are not valid syntax in JSON; instead, they are intended to facilitate reader understanding. 


2.2.3. Enum 


Enum is an ordered list of acceptable string values. Each value has a representative keyword. 
Within the data model, the enumerated type keywords are used as attribute values. 


2.2.4. Software and Software Reference 


A particular version of software is represented in the information model by the SOFTWARE data 
type. This software can be described by using a reference, a Uniform Resource Locator (URL) 
[RFC3986], or free-form text. The SOFTWARE data type is implemented as an object with 
"SoftwareReference", "URL", and "Description" elements as defined in Section 6. Examples are 
shown below. 


"SoftwareType": { 
"SoftwareReference": (...), # SoftwareReference 
"Description": ["MS Windows" ] # STRING 
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SoftwareReference class is a reference to a particular version of software. Examples are shown 
below. 


"SoftvareReference": ( 


"value": "cpe:/a:google:chrome:59.0.3071.115", # STRING 
"spec-name": "cpe", # ENUM 
"dtype": "string" # ENUM 


2.2.5. Structured Information 


Information provided in the form of a structured string, such as an ID, or structured information, 
such as XML documents, is represented in the information model by the STRUCTUREDINFO data 
type. Note that this type was originally specified in Section 4.4 of [RFC7203] as a basic structure of 
its extension classes. The STRUCTUREDINFO data type is implemented as an object with "SpecID", 
"ext-SpecID", "ContentID", "RawData", and "Reference" elements. An example for embedding a 
structured ID is shown below. 


"STRUCTUREDINFO": 4 
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM 
"ContentID": "CWE-89" # STRING 


} 


When embedding the raw data, it should be encoded as a BYTE type object, as shown below. 


"STRUCTUREDINFO": 4 
"SpecID': "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM 
"RawData": "<<< encoded structured data >>>" # BYTE 


} 


When embedding the raw data, base64 encoding defined in Section 4 of [RFC4648] MUST be used 
for JSON IODEF while binary representation MUST be used for CBOR IODEF. 


2.2.6. EXTENSION 


Information not otherwise represented in the IODEF can be added using the EXTENSION data 
type. This data type is a generic extension mechanism. The EXTENSION data type is implemented 


"nom "on "omn 


as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", 


"restriction", "ext-restriction", and "observable-id" elements. An example for embedding a 
structured ID is shown below. 


"ExtensionType": ( 


"value": "XXxxxxxx', 4 STRING 
"name": "Syslog', # STRING 
"dtype": "string", # ENUM 
"meaning': "Syslog from the security appliance X" # STRING 
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Note that this data type is specified in [RFC7970] as its generic extension mechanism. If a data 
item has internal structure that is intended to be processed outside of the IODEF framework, one 
may consider using the STRUCTUREDINFO data type mentioned in Section 2.2.5. 


3. IODEF JSON Data Model 


3.1. Classes and Elements 


The following table shows the list of IODEF classes and their elements and the corresponding 
sections in [RFC7970]. Note that the complete JSON schema is defined in Section 6 using CDDL. 


IODEF Class Class, Element, and Attribute Section in 
[REC7970] 
IODEF-Document version 34 
lang? 
format-id? 


private-enum-name? 
private-enum-id? 
Incident 


AdditionalData* 


Takahashi, et al. Standards Track Page8 


RFC 8727 


IODEF Class 


Incident 
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JSON-IODEF 


Class, Element, and Attribute 


purpose 
ext-purpose? 
status? 
ext-status? 
lang? 
restriction? 
ext-restriction? 
observable-id? 
IncidentID 
AlternativeID? 
RelatedActivity* 
DetectTime? 
StartTime? 
EndTime? 
RecoveryTime? 
ReportTime? 
GenerationTime 
Description* 
Discovery* 
Assessment* 
Method* 
Contact+ 
EventData* 
Indicator* 
History? 
AdditionalData* 


Standards Track 


Section in 
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3.2 
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IODEF Class Class, Element, and Attribute Section in 
[RFC7970] 
IncidentID id 3.4 
name 
instance? 
restriction? 


ext-restriction? 


AlternativeID restriction? 3.5 
ext-restriction? 


IncidentID+ 


RelatedActivity restriction? 3.6 
ext-restriction? 
IncidentID* 
URL* 
ThreatActor* 
Campaign* 
IndicatorID* 
Confidence? 
Description* 


AdditionalData* 


ThreatActor restriction? 3.7 
ext-restriction? 
ThreatActorID* 
URL* 
Description* 
AdditionalData* 
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IODEF Class Class, Element, and Attribute Section in 
[REC7970] 
Campaign restriction? 3.8 


ext-restriction? 
CampaignID* 
URL* 
Description* 
AdditionalData* 


Contact role 29 
ext-role? 
type 
ext-type? 
restriction? 
ext-restriction? 
ContactName" 
ContactTitle" 
Description" 
RegistryHandle* 
PostalAddress* 
Email* 
Telephone* 
Timezone? 
Contact* 


AdditionalData* 
RegistryHandle handle 3.9.1 


registry 


ext-registry? 
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IODEF Class 


PostalAddress 


Email 


Telephone 


Discovery 


DetectionPattern 
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JSON-IODEF 


Class, Element, and Attribute 


type? 
ext-type? 
PAddress 


Description* 


type? 
ext-type? 
EmailTo 


Description* 


type? 
ext-type? 
TelephoneNumber 


Description* 


source? 
ext-source? 
restriction? 
ext-restriction? 
Description* 
Contact* 


DetectionPattern* 


restriction? 
ext-restriction? 
observable-id? 
Application 
Description* 


DetectionConfiguration* 
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Section in 
[REC7970] 


29.2 


3.10 


3,10.1 
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IODEF Class Class, Element, and Attribute Section in 
[REC7970] 
Method restriction? SAI 


ext-restriction? 
Reference* 
Description* 
AttackPattern* 
Vulnerability* 
Weakness* 
AdditionalData* 


Weakness restriction? 4.5.5 in [RFC7203] 


ext-restriction? 


Reference observable-id? Sided 
ReferenceName? 
URL* 


Description* 
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IODEF Class 


Assessment 


SystemImpact 


BusinessImpact 
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JSON-IODEF August 2020 
Class, Element, and Attribute Section in 
[REC7970] 
occurrence? 3.12 
restriction2 


ext-restriction? 
observable-id? 
IncidentCategory* 
SystemImpact* 
BusinessImpact* 
TimeImpact* 
MonetaryImpact* 
IntendedImpact* 
Counter* 
MitigatingFactor* 
Cause* 
Confidence? 


AdditionalData* 


severity? 312A 
completion? 

type 

ext-type? 


Description" 


severity2 3.12.2 
ext-severity? 

type 

ext-type? 


Description* 
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IODEF Class 


Timelmpact 


MonetaryImpact 


Confidence 


History 


HistoryItem 
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Class, Element, and Attribute 


value 
severity? 
metric 
ext-metric? 
duration? 


ext-duration? 


value 
severity? 


currency? 


value 
rating 


ext-rating? 


restriction? 
ext-restriction? 


HistoryItem+ 


action 
ext-action? 
restriction? 
ext-restriction? 
observable-id? 
DateTime 
IncidentID? 
Contact? 
Description* 
DefinedCOA* 
AdditionalData* 
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Section in 
[REC7970] 


212-3 


3.12.4 


312.5 


3,13 


3131 


Page 15 


RFC 8727 


IODEF Class 


EventData 


Expectation 
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JSON-IODEF 


Class, Element, and Attribute 


restriction? 
ext-restriction? 
observable-id? 
Description* 
DetectTime? 
StartTime? 
EndTime? 
RecoveryTime? 
ReportTime? 
Contact* 
Discovery* 
Assessment? 
Method* 
System* 
Expectation* 
RecordData* 
EventData* 


AdditionalData* 


action? 
ext-action? 
severity? 
restriction? 
ext-restriction? 
observable-id? 
Description* 
DefinedCOA* 
StartTime? 
EndTime? 


Contact? 
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IODEF Class 


System 


Node 


Address 
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JSON-IODEF 


Class, Element, and Attribute 


category? 
ext-category? 
interface? 
spoofed? 
virtual? 
ownership? 
ext-ownership? 
restriction? 
ext-restriction? 
Node 
NodeRole* 


Service* 


OperatingSystem* 


Counter* 
AssetID* 
Description* 


AdditionalData* 


DomainData* 
Address* 
PostalAddress? 
Location* 


Counter* 


value 
category 
ext-category? 
vlan-name? 
vlan-num? 


observable-id? 
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Section in 
[REC7970] 


317 


3.18 


319.1 
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IODEF Class 


NodeRole 


Counter 


DomainData 


Nameservers 


DomainContacts 
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JSON-IODEF 


Class, Element, and Attribute 


category 
ext-category? 


Description* 


value 
type 
ext-type? 
unit 
ext-unit? 
meaning? 
duration? 


ext-duration? 


system-status 
ext-system-status? 
domain-status 
ext-domain-status? 
observable-id? 
Name 
DateDomainWasChecked? 
RegistrationDate? 
ExpirationDate? 
RelatedDNS* 
Nameservers* 


DomainContacts? 


Server 
Address* 


SameDomainContact? 


Contact+ 
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Section in 
[RFC7970] 


318.2 


3.18.3 


auno 


3,19.1 


3.19.2 
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IODEF Class Class, Element, and Attribute 


Service ip-protocol? 
observable-id2 
ServiceName2 
Port? 
Portlist? 
ProtoCode? 
ProtoType? 
ProtoField? 
ApplicationHeaderField* 
EmailData? 


Application? 


ServiceName IANAService? 
URL* 


Description* 


EmailData observable-id2 
EmailTo* 
EmailFrom? 
EmailSubject? 
EmailX-Mailer? 
EmailHeaderField* 
EmailHeaders? 
EmailBody? 
EmailMessage? 
HashData* 


Signature* 


Takahashi, et al. Standards Track 


August 2020 


Section in 
[REC7970] 


3.20 


3.20.1 
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IODEF Class 


RecordData 


RecordPattern 


WindowsRegistryKeysModified 


Key 


Takahashi, et al. 


Class, Element, and Attribute 


JSON-IODEF August 2020 


Section in 
[RFC7970] 
restriction? Qu 
ext-restriction? 

observable-id? 

DateTime? 

Description* 

Application? 

RecordPattern* 

RecordItem* 

URL* 

FileData* 

WindowsRegistryKeysModified* 
CertificateData* 


AdditionalData* 


type EN 
ext-type? 

Offset? 

offsetunit2 

eXt-offsetunit2 

instance? 


value 


observable-id? 3.23 
Key+ 


registryaction? 3.23.1 
ext-registryaction? 

observable-id? 

KeyName 

KeyValue? 
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IODEF Class 


CertificateData 


Certificate 


FileData 


File 


HashData 
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Class, Element, and Attribute 


restriction? 
ext-restriction? 
observable-id? 


Certificatet 


observable-id2 
X509Data 


Description" 


restriction? 
ext-restriction? 
observable-id? 
Filet 


observable-id2 
FileName2 
FileSize2 
FileType2 
URL* 
HashData? 


Signature* 


AssociatedSoftware? 


FileProperties* 


scope 
HashTargetID? 
Hash* 
FuzzyHash* 
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Section in 
[REC7970] 


3.24 


3.24.1 


325 


328.1 


3:20 
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IODEF Class 


Hash 


FuzzyHash 


Indicator 


IndicatorID 
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JSON-IODEF 


Class, Element, and Attribute 


DigestMethod 
DigestValue 
CanonicalizationMethod? 


Application? 


FuzzyHashValue+ 
Application? 
AdditionalData* 


restriction2 
ext-restriction? 
IndicatorID 
AlternativeIndicatorID* 
Description* 
StartTime? 
EndTime? 
Confidence? 

Contact* 
Observable? 

uid-ref? 
IndicatorExpression? 
IndicatorReference? 
NodeRole* 
AttackPhase* 
Reference* 


AdditionalData* 
id 
name 


version 
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3.26.1 


3.26.2 
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IODEF Class 


AlternativeIndicatorID 


Observable 


BulkObservable 
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Class, Element, and Attribute Section in 
[REC7970] 
restriction? 3.29.2 


ext-restriction? 


IndicatorID+ 


restriction? 32983 
ext-Testriction? 
System? 

Address? 
DomainData? 
Service? 
EmailData? 
WindowsRegistryKeysModified? 
FileData? 
CertificateData? 
RegistryHandle? 
RecordData? 
EventData? 
Incident2 
Expectation? 
Reference? 
Assessment? 
DetectionPattern? 
HistoryItem? 
BulkObservable? 
AdditionalData* 


type? 32931 
ext-type? 

BulkObservableFormat? 
BulkObservableList 

AdditionalData* 
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IODEF Class 


BulkObservableFormat 


IndicatorExpression 


IndicatorReference 


AttackPhase 


Table 3: IODEF Classes 


JSON-IODEF 


Class, Element, and Attribute 


Hash? 
AdditionalData* 


operator? 
ext-operator? 
IndicatorExpression* 
Observable* 

uid-ref* 
IndicatorReference* 
Confidence? 


AdditionalData* 


uid-ref? 
euid-ref? 


version? 


AttackPhaseID* 
URL? 
Description* 


AdditionalData* 


3.2. Mapping between JSON and XML IODEF 
* Attributes and elements of each class in the XML IODEF document are both presented as 
JSON attributes in the JSON IODEF document, and the order of their appearances is ignored. 


* Flow class is deleted, and classes with its instances now directly have instances of the 
EventData class that used to belong to the Flow class. 


August 2020 


Section in 
[REC7970] 


3.293. lei 


3.29.4 


32I 


3.298 


e ApplicationHeader class is deleted, and classes with its instances now directly have instances 
ofthe ApplicationHeaderField class that used to belong to the ApplicationHeader class. 


e SignatureData class is deleted, and classes with its instances now directly have instances of 


the Signature class that used to belong to the SignatureData class. 


e IndicatorData class is deleted, and classes with its instances now directly have instances of 


the Indicator class that used to belong to the IndicatorData class. 
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e ObservableReference class is deleted, and classes vvith its instances novv directly have uid-ref 
as an element. 

* Record class is deleted, and classes with its instances now directly have instances of the 
RecordData class that used to belong to the Record class. 

* The MLStringType was modified to support simple string by allowing the type to have not 
only a predefined object type but also a text type, in order to allow simple descriptions of 
elements of the type. Implementations need to be capable of parsing an MLStringType that 
could take the form of both text and an object. 

* The elements of the ML STRING type in the XML IODEF document are presented as either 
STRING type or ML STRING type in the JSON IODEF document. When converting from the 
XML IODEF document to the JSON IODEF document, or vice versa, the information contained 
in the original data of the ML STRING type must be preserved. When STRING is used instead 
of ML STRING, parsers can assume that its "xml:lang" is set to "en". 

* Data models of the extension classes defined by [RFC7203] and referenced by [RFC7970] are 
represented by the STRUCTUREDINFO class defined in this document. 

* Signature, X509Data, and RawData are encoded using base64 encoding for JSON IODEF and 
binary representation for CBOR IODEF to represent them as BYTE objects. 

* EmailBody represents a whole message body including MIME structure in the same manner 
defined in [RFC7970]. In case of an email composed of a MIME multipart, the EmailBody 
contains multiple body parts separated by boundary strings. 

* The "ipv6-net-mask" type attribute of the BulkObservable class remains available for the 
purpose of backward compatibility, but the use of this attribute is not recommended because 
IPv6 does not use netmask any more. 

* ENUM values in this document are extensible and managed by IANA, which is also the case 
in [RFC7970]. The values in the table are used both by [RFC7970] implementations and by 
their JSON (and CBOR) bindings as specified by this document. 

* This document uses JSON's "number" type to represent integers that only have full precision 


for integer values between -253 and 2°°. When dealing with integers outside the range, this 
issue needs to be considered. 


* Binaries are encoded in bytes. Note that XML IODEF in [RFC7970] uses HEXBIN due to the 
incapability of XML for embedding binaries as they are. 


4. Examples 


This section provides examples of IODEF documents. These examples do not represent the full 
capabilities of the data model or the only way to encode particular information. 


4.1. Minimal Example 


A document containing only the mandatory elements and attributes is shown below in JSON and 
CBOR, respectively. 
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( 


e VERSTONY 270 
"lang": "en", 
"Incident": [{ 
"purpose": "reporting", 
"restriction": "private", 
"IncidentID": 4 
27466: 2419238237 


JSON-IODEF 


"name": "csirt.example.com" 


"GenerationTime": "2015-07-18T09:00:00-05:00", 


"Contacter [t 
"type": "organization", 
"role": "creator", 


"Email": [{"EmailTo": "contact@csirt.example.com"}] 


+] 


Figure 1: A Minimal Example in JSON 
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SE dE dE dE dE BE HH HF SE BE HF HH HF HH HF HH HHH 


August 2020 


map(3) 
negative(23) 
text(3) 

MO Ov. 
negative(22) 


negative(18) 
array(1) 
map(5) 
negative(1) 
text(9) 
"reporting" 
negative(9) 
text(7) 
"private" 
unsigned(2) 
map(2) 
unsigned(18) 
text(6) 
"492382" 
negative(14) 
text(17) 


63736972742E6578616D706C652E636F6D 


A3 
37 
63 
322E30 
36 
62 
656E 
32 
81 
A5 
21 
69 
7265706F7274696E67 
29 
67 
70726976617465 
02 
A2 
12 
66 
343932333832 
2b 
7A 
BA 
78 19 


# 
# 
# 


"csirt.example.com" 
unsigned(10) 
text(25) 


323031352D30372D313854303934303034A30302D3035343030 


GE 
81 
A3 
18 1C 
6C 


Tk dE SE Xk dE BE dE 


"2015-07-18T09:00:00 
-05:00" 

unsigned(14) 
array(1) 

map(3) 

unsigned(28) 
text(12) 


6F7267616E697A6174696F6E # "organization" 


18 1A 
67 
63726561746F72 
1,9222 
81 
A1 
18 29 
78 19 


Tk dE dE XE dE dE HH 


unsigned(26) 
text(7) 
"creator" 
unsigned(34) 
array(1) 
map(1) 
unsigned(41) 
text(25) 


636F6E746163744063736972742E6578616D70 
6C652E636F6D 


Figure 2: A Minimal Example in CBOR 


4.2. Indicators from a Campaign 


# 


"contactecsirt.example.com" 


An example of C2 domains from a given campaign is shown below in JSON and CBOR, 


respectively. 
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( 
VETES TOMI: 9250 
"lang": "en", 
"Incident": [4 
"purpose": "watch”, 
"restriction": "green", 
"IncidentID": 4 
"id": "897923", 
"name": "csirt.example.com" 
Po 
"RelatedActivity": [{ 
"ThreatActor": (4 
"ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 
"Description": ["Aggressive Butterfly"]}], 
"Campaign": (4 
"CampaignID": ["C-2015-59405"], 
"Description": ["Orange Giraffe"] 
+] 
iR 
"GenerationTime": "2015-10-02T11:18:00-05:00", 
"Description": ["Summarizes the Indicators of Compromise for the 
Orange Giraffe campaign of the Aggressive Butterfly crime 
gang."], 
"Assessment": [{ 
"Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 
"Contact": [{ 
"type": "organization", 
"role": "creator", 
"ContactName": ["CSIRT for example.com"], 
«Ema tl Et 
"EmailTo": "contactecsirt.example.com" 
+] 
"Indicator": (4 
"IndicatorID': 4 
"id": "690823490", 
"name": "csirt.example.com", 
"version": "1" 
"Description": ["C2 domains"], 
"StartTime": "2014-12-02T11:18:00-05:00", 
"Observable": 
"BulkObservable": ( 
"type": "domain-name", 
"BulkObservableList": "kj290023j09r34.example.com") 
} 
+] 
+] 
} 


Figure 3: Indicators from a Campaign in JSON 
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A3 
97 
63 
322E30 
36 
62 
656E 
32 
81 
A9 
21 
65 
7761746368 
29 
65 
677265656E 
02 
A2 
12 
66 
383937393233 
2E 
71 
63736972742E 
04 
81 
A2 
14 
81 
A2 
18 18 
81 
78 
24 
81 
74 
15 
81 
A2 
18 19 
81 
6C 
24 
81 
6E 


# "Orange Giraffe" 
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map (3) 
negative(23) 
text(3) 
E205 
negative(22) 
text(2) 
"en" 
negative(18) 
array(1) 
map (9) 
negative(1) 
text(5) 
"watch" 
negative(9) 
text(5) 
"green" 
unsigned(2) 
map (2) 
unsigned(18) 
text(6) 
"897923" 
negative(14) 
text(17) 
6578616D706C652E636F6D 
"csirt.example. com" 
unsigned(4) 
array(1) 
map (2) 
unsigned(28) 
array(1) 
map (2) 
unsigned(24) 
array(1) 
1A text(26) 
54412D31322D414747524553534956452D4 
25554544552464C59 

3 "TA-12-AGGRESSIVE 

3 -BUTTERFLY" 

# negative(4) 

i array(1) 

# text(20) 
41676772657373697665204275747465726 
66C79 


SE SE SE SE HF HH HH HF HH HF FE SEO HH SEO TE FE HH 


SE dE SE dE dE SE dk SE HH 


"Aggressive Butterfly" 
unsigned(21) 
array(1) 
map (2) 
unsigned(25) 
array(1) 
text(12) 
432D323031352D3539343035 

+ "C-2015-59405" 

# negative(4) 

# array(1) 

X text(14) 
4F72616E67652047697261666665 


Tk dE dE BE dk SE xk 
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BA # unsigned(18) 
78 19 X text(25) 


323031352D31302D30325431313431383430302D3035343030 
+ "2015-10-02T11:18:00-05:00" 
# negative(4) 
i array(1) 

78 6F # text(111) 
53756D6D6172697465732074686520496E64696361746F7 
273206F6620436F6D70726F6D69736520666F7220746865 
204F72616E676520476972616666652063616D706169676 
E206F662074686520416767726573736976652042757474 
6572666C79206372696D652067616E672E 

"Summarizes the Indicators 

of Compromise for the 

Orange Giraffe campaign 

of the Aggressive 

Butterfly crime gang." 

unsigned(12) 

array(1) 

map(1) 

unsigned(63) 

array(1) 

map(1) 

unsigned(65) 

map(1) 

unsigned(28) 

text(18) 

6272656163682D70726F7072696574617279 

+ "breach-proprietary" 
unsigned(14) 

array(1) 

map (4) 

unsigned(28) 

text(12) 

E 

"organization" 
unsigned(26) 

text(7) 

"creator" 

unsigned(30) 

array(1) 

text(21) 

435349525420666F72206578616D706C652E636F6D 

"CSIRT for example.com" 

unsigned(34) 

array(1) 

map(1) 

18 29 unsigned(41) 

78 19 text(25) 
636F6E746163744063736972742E6578616D70 
6C652E636F6D 


24 
81 


oc 
81 
A1 


18 1C 


Tk dE xk dE Wk Wk dk dk Wk dk dk dk dk HH 


GE 
81 
A4 
18 
6C 
6F7267616E697A6174696F 


1C 


18 
67 
63726561746F72 
1E 


1A 


18 
81 


Tk dE dE dE dE dE FO HF HHH dE 


75 


18 
81 


22 


A1 


Tk HE XE BE XE Gk 


# "contact@csirt.example.com" 
unsigned(16) 

array(1) 

map(4) 

unsigned(22) 

map(3) 

unsigned(18) 


18 
81 
A4 
16 
A3 


SE SE XE BE HH 
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69 


JSON-IODEF 


# 


473930383233343930 # 


2E 
Zl 


37 
61 


24 
81 
6A 


06 


78 19 


# 
# 


August 2020 


text(9) 
"690823490" 
negative(14) 


text(17) 


63736972742E6578616D706C652E636F6D 


31 


433220646F6D61696E73 


"csirt.example.com" 
negative(23) 
text(1) 

nq" 

negative(4) 
array(1) 

text(10) 

# "C2 domains" 
unsigned(6) 
text(25) 


# 
# 


323031342D31322D30325431313A31383A30302D30353A3030 


18 
Al 


AB 


18 
A2 


BO 
18 
6B 


18 
78 


# "2014-12-02111:18:00-05:00" 


unsigned(171) 
map(1) 
unsigned(176) 
map (2) 
unsigned(28) 
text(11) 
646F6D61696E2D6E616D65 

# "domain-name" 
B2 # unsigned(178) 
1A X text(26) 
6B6A3239303032336430397233342E6578616D 
706C652bE636F6D 

# "kj290023j09r34.example.com" 


1C 


TE dE SE dE BE dE 


Figure 4: Indicators from a Campaign in CBOR 


5. Mapkeys 


The mapkeys are provided in Table 4 for minimizing the CBOR size. 


mapkey 

iodef-version 

iodef-lang 
iodef-format-id 
iodef-private-enum-name 
iodef-private-enum-id 
iodef-Incident 


iodef-AdditionalData 
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cborkey 


-24 
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mapkey cborkey 
iodef-value -17 
iodef-translation-id -16 
iodef-name -15 
iodef-dtype -14 
iodef-ext-dtype -13 
iodef-meaning -12 
iodef-formatid -11 
iodef-restriction -10 
iodef-ext-restriction -9 
iodef-observable-id -8 
iodef-SoftwareReference -7 
iodef-URL -6 
iodef-Description -5 
iodef-spec-name -4 
iodef-ext-spec-name -3 
iodef-purpose -2 
iodef-ext-purpose -1 
iodef-status 0 
iodef-ext-status 1 
iodef-IncidentID 2 
iodef-AlternativeID 3 
iodef-RelatedActivity 4 
iodef-DetectTime 5 
iodef-StartTime 6 
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mapkey cborkey 
iodef-EndTime 7 
iodef-RecoveryTime 8 
iodef-ReportTime 9 
iodef-GenerationTime 10 
iodef-Discovery 11 
iodef-Assessment 12 
iodef-Method 13 
iodef-Contact 14 
iodef-EventData 15 
iodef-Indicator 16 
iodef-History 17 
iodef-id 18 
iodef-instance 19 
iodef-ThreatActor 20 
iodef-Campaign 21 
iodef-IndicatorID 22. 
iodef-Confidence 23 
iodef-ThreatActorID 24 
iodef-CampaignID 25 
iodef-role 26 
iodef-ext-role 27 
iodef-type 28 
iodef-ext-type 29 
iodef-ContactName 30 
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mapkey cborkey 
iodef-ContactTitle 31 
iodef-RegistryHandle 32. 
iodef-PostalAddress 33 
iodef-Email 34 
iodef-Telephone 35 
iodef-Timezone 36 
iodef-handle 37 
iodef-registry 38 
iodef-ext-registry 39 
iodef-PAddress 40 
iodef-EmailTo 41 
iodef-TelephoneNumber 42 
iodef-source 43 
iodef-ext-source 44 
iodef-DetectionPattern 45 
iodef-DetectionConfiguration 46 
iodef-Application 47 
iodef-Reference 48 
iodef-AttackPattern 49 
iodef-Vulnerability 50 
iodef-Weakness 51 
iodef-SpecID 52 
iodef-ext-SpecID 53 
iodef-ContentID 54 
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mapkey cborkey 
iodef-RawData 55 
iodef-Platform 56 
iodef-Scoring 57 
iodef-ReferenceName 58 
iodef-specIndex 59 
iodef-ID 60 
iodef-occurrence 61 
iodef-IncidentCategory 62 
iodef-Impact 63 
iodef-SystemImpact 64 
iodef-BusinessImpact 65 
iodef-Timelmpact 66 
iodef-MonetaryImpact 67 
iodef-IntendedImpact 68 
iodef-Counter 69 
iodef-MitigatingFactor 70 
iodef-Cause 71 
iodef-severity p. 
iodef-completion 73 
iodef-ext-severity 74 
iodef-metric 75 
iodef-ext-metric 76 
iodef-duration 77 
iodef-ext-duration 78 
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mapkey cborkey 
iodef-currency 79 
iodef-rating 80 
iodef-ext-rating 81 
iodef-HistoryItem 82 
iodef-action 83 
iodef-ext-action 84 
iodef-DateTime 85 
iodef-DefinedCOA 86 
iodef-System 87 
iodef-Expectation 88 
iodef-RecordData 89 
iodef-category 90 
iodef-ext-category 91 
iodef-interface 92 
iodef-spoofed 93 
iodef-virtual 94 
iodef-ownership 95 
iodef-ext-ownership 96 
iodef-Node 97 
iodef-NodeRole 98 
iodef-Service 99 
iodef-OperatingSystem 100 
iodef-AssetID 101 
iodef-DomainData 102 
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mapkey cborkey 
iodef-Address 103 
iodef-Location 104 
iodef-vlan-name 105 
iodef-vlan-num 106 
iodef-unit 107 
iodef-ext-unit 108 
iodef-system-status 109 
iodef-ext-system-status 110 
iodef-domain-status 111 
iodef-ext-domain-status 18162 
iodef-Name 113 
iodef-DateDomainWasChecked 114 
iodef-RegistrationDate 115 
iodef-ExpirationDate 116 
iodef-RelatedDNS 117 
iodef-NameServers 118 
iodef-DomainContacts 119 
iodef-Server 120 
iodef-SameDomainContact 121 
iodef-ip-protocol 122 
iodef-ServiceName 123 
iodef-Port 124 
iodef-Portlist 125 
iodef-ProtoCode 126 
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mapkey cborkey 
iodef-ProtoType 127 
iodef-ProtoField 128 
iodef-ApplicationHeaderField 129 
iodef-EmailData 130 
iodef-IANAService 131 
iodef-EmailFrom 132 
iodef-EmailSubject 133 
iodef-EmailX-Mailer 134 
iodef-EmailHeaderField 135 
iodef-EmailHeaders 136 
iodef-EmailBody 137 
iodef-EmailMessage 138 
iodef-HashData 139 
iodef-Signature 140 
iodef-RecordPattern 141 
iodef-RecordItem 142 
iodef-FileData 143 


iodef-WindowsRegistryKeysModified 144 


iodef-CertificateData 145 
iodef-offset 146 
iodef-offsetunit 147 
iodef-ext-offsetunit 148 
iodef-Key 149 
iodef-registryaction 150 
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mapkey cborkey 
iodef-ext-registryaction 151 
iodef-ReyName 152 
iodef-ReyValue 153 
iodef-Certificate 154 
iodef-X509Data 155 
iodef-File 156 
iodef-FileName 157 
iodef-FileSize 158 
iodef-FileType 159 
iodef-AssociatedSoftware 160 
iodef-FileProperties 161 
iodef-scope 162 
iodef-HashTargetID 163 
iodef-Hash 164 
iodef-FuzzyHash 165 
iodef-DigestMethod 166 
iodef-DigestValue 167 
iodef-CanonicalizationMethod 168 
iodef-FuzzyHashValue 169 
iodef-AlternativeIndicatorID 170 
iodef-Observable 171 
iodef-uid-ref 172. 
iodef-IndicatorExpression 173 
iodef-IndicatorReference 174 
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mapkey cborkey 
iodef-AttackPhase 175 
iodef-BulkObservable 176 
iodef-BulkObservableFormat 177 
iodef-BulkObservableList 178 
iodef-operator 179 
iodef-ext-operator 180 
iodef-euid-ref 181 
iodef-AttackPhaseID 182 


Table 4: Mapkeys 
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6. The IODEF Data Model (CDDL) 


This section provides the IODEF data model. Note that mapReys are described at the beginning of 
the CDDL data model for better readability. 
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start - iodef 
;;; iodef.json: IODEF-Document 


iodef-version = -24 
iodef-lang = -23 
iodef-format-id = -22 
iodef-private-enum-name = -21 
iodef-private-enum-id = -20 
iodef-Incident - -19 
iodef-AdditionalData - -18 


iodef-value = -17 
iodef-translation-id = -16 
iodef-name = -15 


iodef-dtype = -14 
iodef-ext-dtype = -13 
iodef-meaning = -12 
iodef-formatid = -11 
iodef-restriction = -10 
iodef-ext-restriction = -9 
iodef-observable-id = -8 
iodef-SoftwareReference = -7 
iodef-URL = -6 
iodef-Description = -5 
iodef-spec-name = -4 
iodef-ext-spec-name = -3 
iodef-purpose = -2 
iodef-ext-purpose = -1 
iodef-status = ® 
iodef-ext-status 
iodef-IncidentID 
iodef-AlternativelD = 
iodef-RelatedActivity 
iodef-DetectTime = 5 
iodef-StartTime = 6 
iodef-EndTime = 7 
iodef-RecoveryTime = 8 
iodef-ReportTime = 9 
iodef-GenerationTime = 10 
iodef-Discovery = 11 
iodef-Assessment = 12 
iodef-Method = 13 
iodef-Contact = 14 
iodef-EventData = 15 
iodef-Indicator = 16 
iodef-History = 17 
iodef-id = 18 
iodef-instance = 19 
iodef-ThreatActor = 20 
iodef-Campaign = 21 
iodef-IndicatorID = 22 
iodef-Confidence = 23 
iodef-ThreatActorID = 24 
iodef-CampaignID = 25 
iodef-role = 26 
iodef-ext-role = 27 
iodef-type = 28 


1 
2 


3 
- 4 
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iodef-ext-type - 29 
iodef-ContactName - 30 
iodef-ContactTitle - 31 
iodef-RegistryHandle - 32 
iodef-PostalAddress - 33 
iodef-Email - 34 
iodef-Telephone - 
iodef-Timezone - 3 
iodef-handle - 37 
iodef-registry - 38 
iodef-ext-registry - 39 
iodef-PAddress - 40 
iodef-EmailTo = 41 
iodef-TelephoneNumber = 42 
iodef-source - 43 
iodef-ext-source - 44 
iodef-DetectionPattern - 45 
iodef-DetectionConfiguration - 46 
iodef-Application = 47 
iodef-Reference = 48 
iodef-AttackPattern = 49 
iodef-Vulnerability = 50 
iodef-Weakness = 51 

iodef-SpecID = 52 
iodef-ext-SpecID = 53 
iodef-ContentID = 54 
iodef-RawData = 55 
iodef-Platform = 56 
iodef-Scoring = 57 
iodef-ReferenceName = 58 
iodef-specIndex = 59 

iodef-ID = 68 

iodef-occurrence = 61 
iodef-IncidentCategory = 62 
iodef-Impact = 63 
iodef-SystemImpact = 64 
iodef-BusinessImpact = 65 
iodef-TimeImpact = 66 
iodef-MonetaryImpact 
iodef-IntendedImpact 
iodef-Counter = 69 
iodef-MitigatingFactor = 78 
iodef-Cause = 71 
iodef-severity = 72 
iodef-completion = 73 
iodef-ext-severity = 74 
iodef-metric = 75 
iodef-ext-metric = 76 
iodef-duration = 77 
iodef-ext-duration = 78 
iodef-currency = 79 
iodef-rating = 88 
iodef-ext-rating = 81 
iodef-HistoryItem = 82 
iodef-action = 83 
iodef-ext-action = 84 
iodef-DateTime = 85 
iodef-DefinedCOA = 86 


5 
6 


67 
68 
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iodef-System - 87 
iodef-Expectation - 88 
iodef-RecordData - 89 
iodef-category - 90 
iodef-ext-category - 91 
iodef-interface - 92 
iodef-spoofed - 93 
iodef-virtual - 94 
iodef-ownership - 95 
iodef-ext-ownership = 96 
iodef-Node = 97 
iodef-NodeRole = 98 
iodef-Service = 99 
iodef-OperatingSystem = 100 
iodef-AssetID - 101 
iodef-DomainData - 102 
iodef-Address = 103 
iodef-Location = 184 
iodef-vlan-name = 185 
iodef-vlan-num = 186 
iodef-unit = 187 
iodef-ext-unit = 108 
iodef-system-status = 189 
iodef-ext-system-status = 118 
iodef-domain-status = 111 
iodef-ext-domain-status = 112 
iodef-Name = 113 
iodef-DateDomainWasChecked = 114 
iodef-RegistrationDate = 115 
iodef-ExpirationDate = 116 
iodef-RelatedDNS = 117 
iodef-NameServers = 118 
iodef-DomainContacts = 119 
iodef-Server = 128 
iodef-SameDomainContact = 121 
iodef-ip-protocol = 122 
iodef-ServiceName = 123 
iodef-Port = 124 
iodef-Portlist = 125 
iodef-ProtoCode 126 
iodef-ProtoType = 127 
iodef-ProtoField = 128 
iodef-ApplicationHeaderField = 129 
iodef-EmailData = 138 
iodef-IANAService = 131 
iodef-EmailFrom = 132 
iodef-EmailSubject = 133 
iodef-EmailX-Mailer = 134 
iodef-EmailHeaderField = 135 
iodef-EmailHeaders = 136 
iodef-EmailBody = 137 
iodef-EmailMessage = 138 
iodef-HashData = 139 
iodef-Signature = 140 
iodef-RecordPattern = 141 
iodef-RecordItem = 142 
iodef-FileData = 143 
iodef-WindowsRegistryKeysModified = 144 
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iodef-CertificateData = 145 
iodef-offset = 146 


iodef-offsetunit 


= 147 


iodef-ext-offsetunit = 148 


iodef-Key = 149 


iodef-registryaction = 158 
iodef-ext-registryaction = 151 
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iodef-KeyName - 152 
iodef-KeyValue - 153 
iodef-Certificate - 154 
iodef-X509Data - 155 
iodef-File - 156 
iodef-FileName = 157 
iodef-FileSize = 158 
iodef-FileType = 159 


iodef-AssociatedSoftware = 168 
iodef-FileProperties = 161 
iodef-scope = 162 
iodef-HashTargetID = 163 
iodef-Hash = 164 

iodef-FuzzyHash = 165 
iodef-DigestMethod = 166 
iodef-DigestValue = 167 
iodef-CanonicalizationMethod = 168 
iodef-FuzzyHashValue = 169 
iodef-AlternativeIndicatorID = 170 
iodef-Observable = 171 
iodef-uid-ref = 172 
iodef-IndicatorExpression = 173 
iodef-IndicatorReference = 174 
iodef-AttackPhase = 175 
iodef-BulkObservable = 176 
iodef-BulkObservableFormat = 177 
iodef-BulkObservableList = 178 
iodef-operator = 179 
iodef-ext-operator = 180 
iodef-euid-ref = 181 
iodef-AttackPhaseID = 182 


iodef - ( 

iodef-version -» text, 

? iodef-lang -» lang, 

? iodef-format-id -» text 

? iodef-private-enum-name -» text, 

? iodef-private-enum-id -» text, 
iodef-Incident => [+ Incident], 

? iodef-AdditionalData => [+ ExtensionType] 


duration = "second" / "minute" / "hour" / "day" / "month" / 
"quarter" / "year" / "ext-value" 

lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 
restriction - "public" / "partner" / "need-to-know" / "private" / 
"default" / "white" / "green" / "amber" / "red" / 

"ext-value" 

SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 


IDtype = text .regexp "[a-zA-Z_][a-zA-Z@-9_.-]*" 
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IDREFType = IDtype 
URLtype = uri 
TimeZonetype 
PortlistType 


ext .regexp "Z|[\\+\\-](8[8-9]11[8-4]):[8-5][8-9]" 
ext .regexp 

"[@-9]+(\\-[0-9]+)?(, [0-9]+(\\-[0-9]+)?)*" 
action = "nothing" / "contact-source-site" / "contact-target-site" / 
"contact-sender" / "investigate" / "block-host" / 
"block-network" / "block-port" / "rate-limit-host" / 
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 
"honeypot" / "upgrade-software" / "rebuild-asset" / 
"harden-asset" / "remediate-other" / "status-triage" / 
"status-new-info" / "watch-and-report" / "training" / 
"defined-coa" / "other" / "ext-value" 


=t 
=t 


DATETIME = tdate 
BYTE = eb64legacy 


MLStringType = { 

iodef-value => text, 

? iodef-lang => lang, 

? iodef-translation-id => text 
} / text 


PositiveFloatType = float32 .gt 0 
PAddressType - MLStringType 


ExtensionType = { 

iodef-value -» text, 

? iodef-name -» text, 

iodef-dtype -» "boolean" / "byte" / "bytes" / "character" / 
"date-time" / "ntpstamp" / "integer" / "portlist" / "real" / 
"string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / 
"json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / 
"ext-value" 

.default "string" 

? iodef-ext-dtype -» text, 
iodef-meaning -» text, 
iodef-formatid -» text, 
iodef-restriction => restriction .default "private", 
iodef-ext-restriction -» text, 
iodef-observable-id -» IDtype, 


SND NI NI; 


} 


SoftwareType = { 

? iodef-SoftwareReference => SoftwareReference, 
? iodef-URL => [+ URLtypel, 

? iodef-Description => [+ MLStringType] 

} 


SoftwareReference = ( 

? iodef-value => text, 

iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", 

? iodef-ext-spec-name -» text, 

? iodef-dtype -» "bytes" / "integer" / "real" / "string" / "xml" / 
"ext-value" .default "string", 

? iodef-ext-dtype -» text 
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} 


In 
i 
"w 
2 
? 
IE 
? 


NNN NN NN BN NI NI 


i 
2 


2 
2 
2 
al 
? 


? 
? 
? 

} 


In 
i 
i 
? 
? 
? 


} 


Al 
? 
? 
i 


Re 
2 


TaXaha 


cident = ( 
odef-purpose => "traceback" / "mitigation" / "reporting" / 
atch" / "other" / "ext-value", 

iodef-ext-purpose -» text, 


iodef-status -» "new" / "in-progress"/ "forwarded" / "resolved" 


uture" / "ext-value", 
iodef-ext-status -» text, 
iodef-lang -» lang, 
iodef-restriction => restriction .default "private", 
iodef-ext-restriction => text, 
iodef-observable-id => IDtype, 

iodef- IncidentID => IncidentID, 
iodef-AlternativelD => AlternativeID, 
iodef-RelatedActivity => [+ RelatedActivity], 
iodef-DetectTime -» DATETIME, 
iodef-StartTime -» DATETIME, 
iodef-EndTime -» DATETIME, 
iodef-RecoveryTime -» DATETIME, 
iodef-ReportTime -» DATETIME, 

iodef- GenerationTime -» DATETIME, 
iodef-Description => [+ MLStringTypel, 
iodef-Discovery => [+ Discovery], 
iodef-Assessment => [+ Assessment], 
iodef-Method => [+ Method], 


odef-Contact => [+ Contact], 
iodef-EventData => [+ EventDatal, 
iodef-Indicator => [+ Indicator], 
iodef-History => History, 
iodef-AdditionalData => [+ ExtensionType] 

cidentID = ( 

odef-id -» text, 


odef-name -» text, 
iodef-instance -» text, 
iodef-restriction => restriction .default "private", 
iodef-ext-restriction => text 


ternativelD = { 
iodef-restriction => restriction .default "private", 
iodef-ext-restriction => text, 

odef-IncidentID => [+ IncidentID] 


latedActivity = ( 

iodef-restriction => restriction .default "private", 
iodef-ext-restriction => text, 
iodef-IncidentID => [+ IncidentID], 
iodef-URL => [+ URLtypel, 
iodef-ThreatActor => [+ ThreatActor], 
iodef-Campaign => [+ Campaign], 
iodef-IndicatorID => [+ IndicatorID], 
iodef-Confidence => Confidence, 
iodef-Description => [+ text], 
iodef-AdditionalData => [+ ExtensionType] 
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} 


ThreatActor = { 
? iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
? iodef-ThreatActorID => [+ text], 
? iodef-URL => [+ URLtype], 
? iodef-Description => [+ MLStringType], 
? iodef-AdditionalData => [+ ExtensionType] 
} 
Campaign = 4 
? iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
? iodef-CampaignID => [+ text], 
? iodef-URL => [+ URLtypel, 
? iodef-Description => [+ MLStringTypel, 
? iodef-AdditionalData => [+ ExtensionType] 
} 
Contact = { 
iodef-role => "creator" / "reporter" / "admin" / "tech" / 
"provider" / "user" / "billing" / "legal" / "irt" / "abuse" / 
"cc" / "ec-irt" / "leo" / "vendor" / "vendor-support" / 
"victim" / "victim-notified" / "ext-value", 
7 iodef-ext-role -» text, 
iodef-type -» "person" / "organization" / "ext-value", 
? iodef-ext-type -» text, 
iodef-restriction => restriction .default "private", 
iodef-ext-restriction -» text, 
iodef-ContactName => [+ MLStringType], 
iodef-ContactTitle => [+ MLStringType], 
iodef-Description => [+ MLStringType], 
iodef-RegistryHandle => [+ RegistryHandlel, 
iodef-PostalAddress => [+ PostalAddress], 
iodef-Email => [+ Email], 
iodef-Telephone => [+ Telephone], 
iodef-Timezone => TimeZonetype, 
iodef-Contact => [+ Contact], 
iodef-AdditionalData => [+ ExtensionType] 


} 


RegistryHandle = { 

iodef-handle => text, 

iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / 
"ripe" / "afrinic" / "local" / "ext-value", 

? iodef-ext-registry -» text 


PostalAddress = { 

2 iodef-type => "street" / "mailing" / "ext-value", 
? iodef-ext-type => text, 

iodef-PAddress => PAddressType, 

? iodef-Description => [+ MLStringType] 


Email = { 
? jodef-type => "direct" / "hotline" / "ext-value", 
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7 iodef-ext-type => text, 

iodef-EmailTo -» text, 

? iodef-Description => [+ MLStringType] 
} 


Telephone = { 
? iodef-type => "wired" / "mobile" / "fax" / "hotline" / 
"ext-value", 
? iodef-ext-type -» text, 
iodef-TelephoneNumber -» text, 
? iodef-Description => [+ MLStringType] 


Discovery = { 

? iodef-source => "nidps" / "hips" / "siem" / "av" / 
"third-party-monitoring" / "incident" / "os-log" / 
"application-log" / "device-log" / "network-flow" / 
"passive-dns" / "investigation" / "audit" / 
"internal-notification" / "external-notification" / 
"leo" / "partner" / "actor" / "unknown" / "ext-value", 

? iodef-ext-source -» text, 


7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction -» text, 
2 iodef-Description => [+ MLStringType], 
7 iodef-Contact => [+ Contact], 
? iodef-DetectionPattern => [+ DetectionPattern] 
} 


DetectionPattern = { 
? iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
7 iodef-observable-id => IDtype, 
(iodef-Description => [+ MLStringType] // 
iodef-DetectionConfiguration => [+ text]), 
iodef-Application => SoftwareType 


Method = { 

7 iodef-restriction => restriction .default "private", 
iodef-ext-restriction => text, 
iodef-Reference => [+ Reference], 
iodef-Description => [+ MLStringType], 
iodef-AttackPattern => [+ STRUCTUREDINFO], 
iodef-Vulnerability => [+ STRUCTUREDINFO], 
iodef-Weakness => [+ STRUCTUREDINFO], 
iodef-AdditionalData => [+ ExtensionType] 


DD DD DENN 


} 


STRUCTUREDINFO = 4 
iodef-SpecID => SpecID, 
? iodef-ext-SpecID => text, 
? iodef-ContentID => text, 
? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]), 
? iodef-Platform => [+ Platform], 
? iodef-Scoring => [+ Scoring] 


} 
Platform = ( 
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} 


iodef-SpecID => SpecID, 

? iodef-ext-SpecID => text, 

? iodef-ContentID => text, 

? iodef-RawData => [+ BYTE], 

? iodef-Reference => [+ Reference] 


Scoring = ( 


iodef-SpecID -» SpecID, 

? iodef-ext-SpecID -» text, 

? iodef-ContentID -» text, 

7 iodef-RawData => [+ BYTE], 

? iodef-Reference => [+ Reference] 


Reference = { 


7 


R 


A 


} 
S 


? iodef-observable-id -» IDtype, 

? iodef-ReferenceName -» ReferenceName, 
? iodef-URL => [+ URLtypel, 

? iodef-Description => [+ MLStringType] 


eferenceName = { 
iodef-specIndex => integer, 
iodef-ID => IDtype 


ssessment = { 


? iodef-occurrence => "actual" / "potential", 
"private", 


iodef-restriction => restriction .default 
iodef-ext-restriction => text, 
iodef-observable-id => IDtype, 
iodef-IncidentCategory => [+ MLStringTypel, 


NN 


iodef- Impact => [+ {iodef-SystemImpact => SystemImpact) / 


{iodef-BusinessImpact => BusinessImpact / 


(iodef-TimeImpact => Timelmpact) / 


{iodef-MonetaryImpact => MonetaryImpact) / 
{iodef-IntendedImpact => BusinessImpact}], 


iodef-Counter => [+ Counter], 


iodef-Cause => [+ MLStringType], 
iodef-Confidence => Confidence, 
iodef-AdditionalData => [+ ExtensionType] 


NN DD N 


ystemImpact = { 


iodef-MitigatingFactor => [+ MLStringType], 


? iodef-severity => "low" / "medium" / "high", 


? iodef-completion => "failed" / "succeeded", 
iodef-type -» "takeover-account" / "takeover-service" 
"takeover-system" / "cps-manipulation" / "cps- 


"availability-data" / "availability-account" 


"availability-service" / "availability-system" 
damaged-data" / "breach-proprietary" / "breach-privacy" 
"integrity-data" 


breach-credential" / "breach-configuration" 


damage" 


/ "damaged-system" 


"integrity-configuration" / "integrity-hardware" / 
"traffic-redirection" / "monitoring-traffic" 


"policy" / "unknown" / "ext-value" .default 
? iodef-ext-type -» text, 
? iodef-Description => [+ MLStringType] 
} 
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BusinessImpact - ( 

? iodef-severity -» "none" / "low" / "medium" / "high" / "unknown" / 
"ext-value" .default "unknown", 

? iodef-ext-severity -» text, 

iodef-type -» "breach-proprietary" / "breach-privacy" / 
"breach-credential" / "loss-of-integrity" / "loss-of-service" / 
"theft-financial" / "theft-service" / "degraded-reputation" / 
"asset-damage" / "asset-manipulation" / "legal" / "extortion" / 
"unknown" / "ext-value" .default "unknown", 

? iodef-ext-type -» text, 

? iodef-Description => [+ MLStringType] 

} 


Timelmpact = { 
iodef-value => PositiveFloatType, 
? iodef-severity => "low" / "medium" / "high", 
iodef-metric -» "labor" / "elapsed" / "downtime" / "ext-value", 
? iodef-ext-metric -» text, 
? iodef-duration => duration .default "hour", 
? iodef-ext-duration -» text 


MonetaryImpact = { 
iodef-value => PositiveFloatType, 
? iodef-severity => "low" / "medium" / "high", 
? iodef-currency -» text 


} 


Confidence = { 

iodef-value => float32, 

iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / 
"ext-value", 

? iodef-ext-rating -» text 


History - ( 
7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction -» text, 
iodef-HistoryItem => [+ HistoryItem] 


HistoryItem = { 
iodef-action => action .default "other", 
? iodef-ext-action => text, 
7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
? iodef-observable-id => IDtype, 
iodef-DateTime => DATETIME, 
? iodef-IncidentID => IncidentID, 
? iodef-Contact => Contact, 
? iodef-Description => [+ MLStringType], 
7 iodef-DefinedCOA => [+ text], 
? iodef-AdditionalData => [+ ExtensionType] 


} 


EventData = { 
? iodef-restriction => restriction .default "default", 
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iodef-ext-restriction -» text, 
iodef-observable-id -» IDtype, 
iodef-Description => [+ MLStringType], 
iodef-DetectTime => DATETIME, 
iodef-StartTime => DATETIME, 
iodef-EndTime => DATETIME, 
iodef-RecoveryTime => DATETIME, 
iodef-ReportTime => DATETIME, 
iodef-Contact => [+ Contact], 
iodef-Discovery => [+ Discovery], 
iodef-Assessment => Assessment, 
iodef-Method => [+ Method], 
iodef-System => [+ System], 
iodef-Expectation => [+ Expectation], 
iodef-RecordData => [+ RecordDatal, 
iodef-EventData => [+ EventDatal, 
iodef-AdditionalData => [+ ExtensionType] 


} 


Expectation = { 

? iodef-action => action .default "other", 
iodef-ext-action => text, 
iodef-severity => "low" / "medium" / "high", 
iodef-restriction => restriction .default "default", 
iodef-ext-restriction => text, 
iodef-observable-id => IDtype, 
iodef-Description => [+ MLStringType], 
iodef-DefinedCOA => [+ text], 
iodef-StartTime => DATETIME, 
iodef-EndTime => DATETIME, 
iodef-Contact => Contact 


} 


System = { 

? iodef-category => "source" / "target" / "intermediate" / 
"sensor" / "infrastructure" / "ext-value", 

? iodef-ext-category => text, 
iodef-interface => text, 


DV. 


? iodef-ownership => "organization" / "personal" / "partner" / 
"customer" / "no-relationship" / "unknown" / "ext-value", 

? iodef-ext-ownership -» text, 

7 iodef-restriction => restriction .default "private", 

? iodef-ext-restriction -» text, 

? iodef-observable-id -» IDtype, 

iodef-Node -» Node, 

7 iodef-NodeRole => [+ NodeRole], 


? iodef-Service => [+ Service], 

? iodef-OperatingSystem => [+ SoftwareType], 
? iodef-Counter => [+ Counter], 

? iodef-AssetID => [+ text], 

? iodef-Description => [+ MLStringType], 

? iodef-AdditionalData => [+ ExtensionType] 
} 
Node = { 


(iodef-DomainData => [+ DomainData] // 
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iodef-Address => [+ Address]), 
? iodef-PostalAddress -» PostalAddress, 
? iodef-Location => [+ MLStringType], 
? iodef-Counter => [+ Counter] 


Address = { 

iodef-value => text, 

iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / 
"ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 
"ext-value" .default "ipv6-addr", 

? iodef-ext-category -» text, 

? iodef-vlan-name -» text, 

? iodef-vlan-num -» integer, 

? iodef-observable-id -» IDtype 

} 


NodeRole = { 

iodef-category => "client" / "client-enterprise" / 
"client-partner" / "client-remote" / "client-kiosk" / 
"client-mobile" / "server-internal" / "server-public" / 

"www" / "mail" / "webmail" / "messaging" / "streaming" / 
"voice" / "file" / "ftp" / "p2p" / "name" / "directory" / 
"credential" / "print" / "application" / "database" / 

"backup" / "dhcp" / "assessment" / "source-control" / 
"config-management" / "monitoring" / "infra" / "infra-firewall" / 
"infra-router" / "infra-switch" / "camera" / "proxy" / 
"remote-access" / "log" / "virtualization" / "pos" / "scada" / 
"scada-supervisory" / "sinkhole" / "honeypot" / 

"anomyzation" / "c2-server" / "malware-distribution" / 
"drop-server" / "hop-point" / "reflector" / 

"phishing-site" / "spear-phishing-site" / "recruiting-site" / 
"fraudulent-site" / "ext-value", 

? iodef-ext-category -» text, 

? iodef-Description => [+ MLStringType] 

} 


Counter = { 

iodef-value => float32, 

iodef-type => "count" / "peak" / "average" / "ext-value", 

? iodef-ext-type => text, 

iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / 
"alert" / "message" / "event" / "host" / "site" / "organization" / 
"ext-value", 

7 iodef-ext-unit => text, 

? iodef-meaning -» text, 

? iodef-duration -» duration .default "hour", 

? iodef-ext-duration -» text 


} 


DomainData = { 
iodef-system-status => "spoofed" / "fraudulent" / 
"innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value", 
? iodef-ext-system-status => text, 
iodef-domain-status => "reservedDelegation" / "assignedAndActive" / 
"assignedAndInactive" / "assignedAndOnHold" / 
"revoked" / "transferPending" / "registryLocR" / 
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"registrarLock" / "other" / "unknown" / "ext-value", 

? iodef-ext-domain-status -» text, 

? iodef-observable-id -» IDtype, 

iodef-Name -» text, 

? iodef-DateDomainWasChecked -» DATETIME, 
iodef-RegistrationDate -» DATETIME, 
iodef-ExpirationDate -» DATETIME, 
iodef-RelatedDNS => [+ ExtensionTypel, 
iodef-NameServers => [+ NameServers], 
iodef-DomainContacts => DomainContacts 


} 


NameServers = { 
iodef-Server => text, 
iodef-Address => [+ Address] 


} 


DomainContacts = { 
(iodef-SameDomainContact => text // iodef-Contact => [+ Contact]) 


Service = { 

? iodef-ip-protocol => integer, 
iodef-observable-id -» IDtype, 
iodef-ServiceName -» ServiceName, 
iodef-Port -» integer, 
iodef-Portlist -» PortlistType, 
iodef-ProtoCode -» integer, 
iodef-ProtoType -» integer, 
iodef-ProtoField -» integer, 
iodef-ApplicationHeaderField => [+ ExtensionType], 
iodef-EmailData -» EmailData, 
iodef-Application -» SoftwareType 


} 


ServiceName = { 

? iodef-IANAService => text, 

2 iodef-URL => [+ URLtype], 

? iodef-Description => [+ MLStringType] 
} 


EmailData = { 

? iodef-observable-id => IDtype, 
iodef-EmailTo => [+ text], 
iodef-EmailFrom => text, 
iodef-EmailSubject => text, 
iodef-EmailX-Mailer => text, 
iodef-EmailHeaderField => [+ ExtensionTypel, 
iodef-EmailHeaders => text, 
iodef-EmailBody -» text, 
iodef-EmailMessage -» text, 
iodef-HashData => [+ HashData], 
iodef-Signature => [+ BYTE] 


} 


RecordData = { 
7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
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iodef-observable-id -» IDtype, 
iodef-DateTime -» DATETIME, 
iodef-Description => [+ MLStringType], 
iodef-Application => SoftwareType, 
iodef-RecordPattern => [+ RecordPattern], 
iodef-RecordItem => [+ ExtensionType], 
iodef-URL => [+ URLtypel, 
iodef-FileData => [+ FileData], 
iodef-WindowsRegistryKeysModified => 

[+ WindowsRegistryKeysModified], 
? iodef-CertificateData => [+ CertificateDatal, 
? iodef-AdditionalData => [+ ExtensionType] 


} 


RecordPattern = { 

iodef-value => text, 

iodef-type => "regex" / "binary" / "xpath" / 
"ext-value" .default "regex", 

? iodef-ext-type -» text, 

? iodef-offset -» integer, 

? iodef-offsetunit -» "line" / "byte" / 
"ext-value" .default "line", 

? iodef-ext-offsetunit -» text, 

? iodef-instance -» integer 


} 


WindowsRegistryKeysModified = { 
? iodef-observable-id => IDtype, 
iodef-Key => [+ Key] 

} 


Key = | 

? iodef-registryaction => "add-key" / "add-value" / "delete-key" / 
"delete-value" / "modify-key" / "modify-value" / 

"ext-value", 

? iodef-ext-registryaction -» text, 

? iodef-observable-id -» IDtype, 

iodef-KeyName -» text, 

? iodef-KeyValue -» text 


} 


CertificateData = { 
7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
7 iodef-observable-id => IDtype, 
iodef-Certificate => [+ Certificate] 


Certificate = ( 
7 iodef-observable-id => IDtype, 
iodef-X589Data => BYTE, 
? iodef-Description => [+ MLStringType] 


FileData = { 

7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 

? iodef-observable-id => IDtype, 
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iodef-File => [+ File] 
} 


File = { 

? iodef-observable-id => IDtype, 
iodef-FileName => text, 

iodef-FileSize => integer, 

iodef-FileType => text, 

iodef-URL => [+ URLtype], 

iodef-HashData => HashData, 
iodef-Signature => [+ BYTE], 
iodef-AssociatedSoftware => SoftwareType, 
iodef-FileProperties => [+ ExtensionType] 


} 


HashData = { 

iodef-scope => "file-contents" / "file-pe-section" / 
"file-pe-iat" / "file-pe-resource" / "file-pdf-object" / 
"email-hash" / "email-headers-hash" / "email-body-hash" / 
"ext-value", 

? iodef-HashTargetID -» text, 

? iodef-Hash => [+ Hash], 

? iodef-FuzzyHash => [+ FuzzyHash] 


Hash = { 
iodef-DigestMethod => BYTE, 
iodef-DigestValue => BYTE, 
? iodef-CanonicalizationMethod => BYTE, 
? iodef-Application -» SoftwareType 


FuzzyHash = { 

iodef-FuzzyHashValue => [+ ExtensionType], 
? iodef-Application => SoftwareType, 

? iodef-AdditionalData => [+ ExtensionType] 


} 


Indicator = { 

? iodef-restriction => restriction .default "private", 

? iodef-ext-restriction => text, 

iodef-IndicatorID => IndicatorID, 

7 iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID], 

2 iodef-Description => [+ MLStringTypel, 

7 iodef-StartTime => DATETIME, 

? iodef-EndTime => DATETIME, 

? iodef-Confidence => Confidence, 

? iodef-Contact => [+ Contact], 

(iodef-Observable => Observable // iodef-uid-ref => IDREFType // 
iodef-IndicatorExpression => IndicatorExpression // 
iodef-IndicatorReference => IndicatorReference), 

iodef-NodeRole => [+ NodeRolel, 

iodef-AttackPhase => [+ AttackPhase], 

iodef-Reference => [+ Reference], 

iodef-AdditionalData => [+ ExtensionType] 


} 


IndicatorID = { 


Takahashi, et al. Standards Track Page 57 


RFC 8727 JSON-IODEF August 2020 


iodef-id -» IDtype, 
iodef-name -» text, 
iodef-version -» text 


} 


AlternativeIndicatorID = { 
7 iodef-restriction => restriction .default "private", 
7 iodef-ext-restriction => text, 
iodef-IndicatorID => [+ IndicatorID] 


Observable = { 
7 iodef-restriction => restriction .default "private", 
? iodef-ext-restriction => text, 
? (iodef-System => System // iodef-Address => Address // 
iodef-DomainData => DomainData // 
iodef-EmailData => EmailData // 
iodef-Service => Service // 
iodef-WindowsRegistryKeysModified => 
WindowsRegistryKeysModified // 
iodef-FileData => FileData //iodef-CertificateData => 
CertificateData // 
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData => 
RecordData // 
iodef-EventData => EventData // iodef-Incident => Incident // 
iodef-Expectation => Expectation // iodef-Reference => 
Reference // 
iodef-Assessment => Assessment // 
iodef-DetectionPattern => DetectionPattern // 
iodef-HistoryItem => HistoryItem // 
iodef-BulkObservable -» BulkObservable // 
iodef-AdditionalData => [+ ExtensionType]) 
} 


BulkObservable = ( 

? iodef-type -» "asn" / "atm" / "e-mail" / "ipv4-addr" / 
"ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / 
"ipv6-net-mask" / "mac" / "site-uri" / "domain-name" / 
"domain-to-ipv4" / "domain-to-ipv6" / 
"domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" / 
"ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" / 
"email-x-mailer" / "email-subject" / "http-user-agent" / 
"http-request-uri" / "mutex" / "file-path" / "user-name" / 
"ext-value", 

? iodef-ext-type -» text, 

? iodef-BulkObservableFormat -» BulkObservableFormat, 

iodef-BulkObservableList => text, 

? iodef-AdditionalData => [+ ExtensionType] 


} 


BulkObservableFormat = { 
(iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) 


IndicatorExpression = { 
? iodef-operator => "not" / "and" / "or" / "xor" .default "and", 
? iodef-ext-operator -» text, 
? iodef-IndicatorExpression => [+ IndicatorExpression], 
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iodef-Observable => [+ Observablel, 

iodef-uid-ref => [+ IDREFType], 
iodef-IndicatorReference => [+ IndicatorReference], 
iodef-Confidence => Confidence, 
iodef-AdditionalData => [+ ExtensionType] 


} 


IndicatorReference = { 
(iodef-uid-ref => IDREFType // iodef-euid-ref => text), 
? iodef-version => text 


AttackPhase = { 
7 iodef-AttackPhaseID => [+ text], 
? iodef-URL => [+ URLtypel, 
? iodef-Description => [+ MLStringType], 
? iodef-AdditionalData => [+ ExtensionType] 


} 


Figure 5: Data Model in CDDL 


7. IANA Considerations 


This document has no IANA actions. 


8. Security Considerations 


This document provides a mapping from XML IODEF defined in [RFC7970] to JSON, and Section 
3.2 describes several issues that arise when converting XML IODEF and JSON IODEF. Though it 
does not provide any further security considerations other than the one described in [RFC7970], 
implementers of this document should be aware of those issues to avoid any unintended 
outcome. 
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Appendix A. Data Types Used in This Document 


The CDDL prelude used in this document is mapped to JSON as shown in the table below. 


CDDL Prelude  UseofJSON Instance Validation 


bytes n/a string tool available 

text string string unnecessary 

tdate n/a string date-time per Section 7.3.1 of [J[SON-SCHEMA] 
integer n/a number integer 

eb64legacy n/a string tool available 
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CDDL Prelude —Use of JSON Instance Validation 
uri n/a string uri per Section 7.3.6 of [J[SON-SCHEMA] 


float32 float32 number unnecessary 


Table 5: CDDL Prelude Mapping in JSON 
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Appendix B. The IODEF Data Model (JSON Schema) 


This section provides a JSON schema [JSON-SCHEMA] that defines the IODEF data model defined 
in this document. Note that this section is informative. 
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( "Sschema": "https://json-schema.org/draft-84/schemaf", 
"definitions": 4 


"action": ('enum": l'nothing", "contact-source-site", 
"contact-target-site", "contact-sender", "investigate", 
"block-host", "block-network", "block-port", 
"rate-limit-host", "rate-limit-network", 
"rate-limit-port", "redirect-traffic", "honeypot", 
"upgrade-software", "rebuild-asset", "harden-asset", 
"remediate-other", "status-triage", "status-new-info", 
"watch-and-report", "training", "defined-coa", "other", 
"ext-value"]}, 

"duration":{"enum":["second", "minute", "hour", "day", 

"month", "quarter", "year", "ext-value"]}, 

"SpecID": { 


"enum" :["urn:ietf:params:xml:ns:mile:mmdef:1.2", 
"private"]}, 
"lang": < 
"type":"string", "pattern" 
ONS 4-24-2181,.64.(—14-24=24- 9141 Or) yy 


"purpose": {"enum": ["traceback", "mitigation", 
"reporting", "watch", "other", "ext-value"]}, 

"restriction" :{"enum": ["public", "partner", 
"need-to-know", "private", "default", "white", "green", 
"amber", "red", "ext-value"]}, 

"status": {"enum": ["new", "in-progress", "forwarded", 
"resolved", "future", "ext-value"]), 


"DATETIME": {"type": "string", "format": "date-time"}, 
BES S ert DONES string, 
"PortlistType": { 
"type": "string", "pattern": 
"[@-9]+(\\-[0-9]+)?(, [0-9]+(\\-[0-9]+)?)*"}, 
"TimeZonetype": 4 
"type":"string", "pattern": 
"Z| [\\+\\-] (0[0-9]|1[0-4]): [0-5][0-9] ) , 
"URLtype": ( 
string”, 
"pattern": 
Sl ae): 42144014 elle) 
2 +007 
"IDtype": M "string", "pattern" 
"[a-zA-z. ][a-zA-Z0-9...-]»"), 
"IDREFType": {"Sref": "#/definitions/IDtype"}, 
"MLStringType": { 
"oneOf": [("type": "string"}, 
{"type": "object", 
"properties": { 
"value": {"type": "string"}, 
"lang": {"$ref": "#/definitions/lang"}, 
"translation-id": {"type": "string"}}, 
"required": ["value"], 
“additionalProperties" :false}]}, 
"PositiveFloatType": {"type": "number", "minimum": ®}, 
"PAddressType": {"Sref": "#/definitions/MLStringTyp e"), 
"ExtensionType": { 
"type": "object', 
"properties": ( 
"value": {"type": "string"}, 
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"name": {"type": "string"}, 
"dtype":{"enum":["boolean", "byte", "bytes", 


"character", "json", "date-time", "ntpstamp", 
"integer", "portlist", "real", "string", "file", 
"path", "frame", "packet", "ipv4-packet", 
"ipv6-packet", "url", "csv", "winreg', 
"xml", "ext-value"], "default": "string"}, 
"ext-dtype": {"type": "string"}, 
"meaning": {"type": "string"}, 


"formatid": {"type": "string"}, 
"restriction": 4 


"Sref": "#/definitions/restriction", "default": 
"private"}, 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}}, 
"required": ["value", "dtype"l, 
"additionalProperties":false), 

"ExtensionTypeList": 4 
"array", 
items": {"Sref": "#/definitions/ExtensionType"}, 
"minItems": 1), 
"SoftwareType": ( 
"type": "object", 
"properties": ( 
"SoftwareReference" :( 
"Sref":"#/definitions/SoftwareReference"}, 
RL Et 
"type": "array", 
"items": {"Sref": "#/definitions/URLtype", 
"minItems": 1}}, 
"Description": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1 }}, 
"required": [], 
"additionalProperties": false), 
"SoftvareReference": ( 
"type": "object", 
"properties": ( 
"value": {"type": "string"}, 


"spec-name": {"enum": ["custom", "cpe", "swid", 
"ext-value"l), 

"ext-spec-name": {"type": "string"}, 

"dtype": ('enum": l'bytes", "integer", "real", "string", 
"xml", "ext-value"], "default": "string"}, 


"ext-dtype": {"type": "string"}}, 
"required": ["spec-name"], 
"additionalProperties": false}, 

"STRUCTUREDINFO": 4 
"type": "object", 
"properties": 4 

"SpecID": {"Sref":"#/definitions/SpecID"}, 

"ext-SpecID': {"type": "string"}, 

"ContentID': {"type": "string"}, 

RawData": { 

"array", 

"items": {"$ref" :"#/definitions/BYTE"}, 
"minItems": 1 
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} 


eference": { 

"type": "array", 

"items": {"Sref": "#/definitions/Reference"}, 
"minItems": 1 


js 

"Platform": ( 

"array", 

"items": {"Sref": "#/definitions/Platform"}, 
"minltems": 1 


"Scoring': { 
"type": "array", 


"items": {"Sref": "#/definitions/Scoring"}, 
"minItems": 1}}, 
"allof": [ 
{"required": ["SpecID"]), 
{"anyOf": [ 
("oneOf": [ 


("required" :["Reference"]), 
{"required":["RawData"]}]}, 


{ "not" : {"required":["Reference", "RawData"]}}]}], 
"additionalProperties": false}, 
"Platform": { 


"type": "object", 
"properties": { 
"SpecID": {"Sref":"#/definitions/SpecID"}, 
"ext-SpecID': {"type": "string"}, 
"ContentID': {"type": "string"}, 
"RawData": { 
"type": "array", 
"items": {"Sref":"#/definitions/BYTE"}, 
"minItems": 1 


"Reference": { 
"array", 
items": {"Sref": "#/definitions/Reference"}, 
"minItems": 1}}, 
"required": ["SpecID"], 
"additionalProperties": false}, 
"Scoring": 4 
"object", 
"properties": 4 
"SpecID": {"Sref":"#/definitions/SpecID"}, 
"ext-SpecID": {"type": "string"}, 
"ContentID': {"type": "string"}, 
"RawData": { 
"type": "array", 
"items": {"$ref" :"#/definitions/BYTE"}, 
"minItems": 1 


jio 
"Reference": ( 
"type" "array", 
"items": {"Sref": "#/definitions/Reference"}, 


"minItems": 1}}, 
"required": ["SpecID"], 
"additionalProperties": false}, 

"Incident": 4 
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"title": "Incident", 
"description": "JSON schema for Incident class", 
"type": "object", 
"properties": ( 
"purpose": ("Sref": "#/definitions/purpose"}, 
"ext-purpose": {"type": "string"}, 
"status": {"Sref": "#/definitions/status"}, 
"ext-status": {"type": "string"}, 
"lang": {"Sref": "#/definitions/lang"}, 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"IncidentID": {"Sref": "#/definitions/IncidentID"}, 
"AlternativeID": { 
"Sref":"#/definitions/AlternativeID"}, 
"RelatedActivity": { 
"type": "array", 
"items": {"Sref": "#/definitions/RelatedActivity"}, 
"minItems": 1}, 
"DetectTime": {"Sref": "#/definitions/DATETIME"}, 
"StartTime": {"Sref": "#/definitions/DATETIME"}, 
"EndTime": {"Sref": "#/definitions/DATETIME"}, 
"RecoveryTime": {"Sref": "#/definitions/DATETIME"}, 
"ReportTime": {"Sref": "#/definitions/DATETIME"}, 
"GenerationTime": {"Sref": "#/definitions/DATETIME"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
"Discovery": { 
"array", 
items": {"Sref": "#/definitions/Discovery"}, 
"minItems": 1), 
"Assessment": 4 
"type": "array", 


"items": {"Sref": "#/definitions/Assessment"}, 
"minItems": 1), 
"Method": { 


"type": "array", 
"items": {"Sref": "#/definitions/Method"}, 
"minItems": 1}, 

"Contact": ( 

"array", 
"items": {"Sref": "#/definitions/Contact"}, 
"minItems": 1}, 

"EventData": 4 


items": {"Sref": "#/definitions/EventData"}, 
"minItems": 1), 
"Indicator": ( 
"type": "array", 
"items": {"Sref": "#/definitions/Indicator"}, 
"minItems": 1}, 
"History": ("Sref": "#/definitions/History"}, 
"AdditionalData": { 
"Sref" :"#/definitions/ExtensionTypeList"}}, 
"required": ["IncidentID", "GenerationTime", "Contact", 
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"purpose" ], 
"additionalProperties": false), 
"IncidentID": 4 
"title": "IncidentID", 
"description": "JSON schema for IncidentID class", 
"type": "object', 
"properties": ( 
Sd EV DES SET EL 
"name": {"type": "string"}, 
"instance": {"type": "string"}, 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}}, 
"required": ["id", "name"], 
"additionalProperties": false}, 
"AlternativeID": { 
"title": "AlternativelD", 
"description": "JSON schema for AlternativeID class", 
"type": "object", 
"properties": ( 
"IncidentID": 4 
"type": "array", 
"items":("Sref": "#/definitions/IncidentID"}, 
"minItems": 1), 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"), 
"ext-restriction": {"type": "string"}}, 


"required": ["IncidentID"], 
"additionalProperties": false}, 

"RelatedActivity": { 
"properties": { 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 


"IncidentID": 4 
"type": "array", 
"items": {"Sref": "#/definitions/IncidentID"}, 
"minItems": 1), 
RISE 
"type": "array", 
"items": {"Sref": "#/definitions/URLtype"}, 
"minItems": 1}, 
"ThreatActor": { 
"array", 
items": {"Sref": "#/definitions/ThreatActor"}, 
"minItems": 1), 
"Campaign": ( 
"type": "array", 
items": {"Sref": "#/definitions/Campaign"}, 
"minItems": 1), 
"IndicatorID": 4 
"type": "array", 
"items": {"Sref": "#/definitions/IndicatorID"}, 
"minItems": 1}, 
"Confidence": {"Sref": "#/definitions/Confidence"}, 
"Description": 4 
"type": "array", 
"items": ("type": "string"}, 
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"minItems": 1), 
"AdditionalData": 4 
"Sref": "#/definitions/ExtensionTypeList"}}, 
"additionalProperties": false), 
"ThreatActor": 4 
"properties": 4 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"ThreatActorID": { 
"type": "array", 
"items": {"type": "string"}, 
"minItems": 1), 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
SUREE 
"type":"array", 
"items" :{"Sref":"#/definitions/URLtype"}, 
"minItems": 1), 
"AdditionalData": 4 
"Šref":"4/definitions/ExtensionTypelist")), 
"additionalProperties": false), 


"Campaign": 4 
"properties": 4 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"CampaignID": { 
"type": "array", 
"items": ("type": "string"}, 
"minItems": 1), 
SR 
"type" :"array", 
"items" :{"Sref":"#/definitions/URLtype"}, 
"minItems": 1), 
"Description": ( 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
"AdditionalData": 4 
"Sref" :"#/definitions/ExtensionTypeList"}}}, 


"Contact": { 
"type": "object", 
"properties": { 
"role": { 

"enum" :["creator", "reporter", "admin", "tech", 
"provider", "user", "billing", "legal", 
ta, abuse we Coco Leon, 
"vendor", "vendor-support", "victim", 
"victim-notified", "ext-value"]), 

"ext-role": {"type": "string"}, 
SEyDe A 
"enum": ["person", "organization", "ext-value"]}, 
"ext-type": {"type": "string"}, 
"restriction": {"Sref": "#/definitions/restriction", 


"default": "private", 
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"ext-restriction": {"type": "string"}, 
"ContactName": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
"ContactTitle": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"Description": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"RegistryHandle": { 
"type" :"array", 
"items" :{"Sref":"#/definitions/RegistryHandle"}, 
"minItems": 1}, 
"PostalAddress": { 
"type" :"array", 
"items" :{"Sref":"#/definitions/PostalAddress"}, 
"minItems": 1), 


"Email": { 
"type": "array", 
"items": {"Sref": "#/definitions/Email"}, 


"minItems": 1), 
"Telephone": { 
"type": "array", 
"items": {"Sref": "#/definitions/Telephone"}, 
"minItems": 1}, 


"Timezone": {"Sref": "#/definitions/TimeZonetype"}, 
"Contact": { 
"type" "array", 


"items": {"Sref": "#/definitions/Contact"}, 
"minItems": 1), 
"AdditionalData": 4 
"S$ref":"st/definitions/ExtensionTypelist")), 
"required": ["role", "type"], 
"additionalProperties": false), 
"RegistryHandle": ( 
"type": "object', 
"properties": ( 
"handle": {"type": "string"}, 
“REGISTRY a4 


"enum": ["internic", "apnic", "arin", "lacnic", 
"ripe", "afrinic", "local", "ext-value"]}, 
"ext-registry": {"type": "string")), 
"required": ["handle", "registry"], 


"additionalProperties": false}, 
"PostalAddress": { 
"type": "object", 
"properties": { 
KEY peu 
"enum": ["street", "mailing", "ext-value"]}, 
"ext-type": {"type": "string"}, 
"PAddress": {"Sref": "#/definitions/PAddressType"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
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"minItems": 13), 
"required": ["PAddress"], 
"additionalProperties": false}, 

"Email": { 
"type": "object", 
"properties": 4 


"type" { 

"enum":["direct", "hotline", "ext-value"]}, 
"ext-type": {"type": "string"}, 
"EmailTo": {"type": "string"}, 


"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": ["EmailTo"], 
"additionalProperties": false}, 
"Telephone": { 
"type": "object", 
"properties": 4 
Ayers nl 
enum":["wired", "mobile", "fax", "hotline", 
"ext-value"]}, 
"ext-type": {"type": "string"}, 
"TelephoneNumber": {"type": "string"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": ["TelephoneNumber"], 
"additionalProperties": false}, 
"Discovery": { 
"type": "object", 
"properties": { 
"source": { 


"enum":["nidps", "hips", "siem", "av", 
"third-party-monitoring", "incident", "os-log", 
"application-log", "device-log", "network-flow", 
"passive-dns", "investigation", "audit", 
"internal-notification", "external-notification", 
"leo", "partner", "actor", "unknown", "ext-value"]), 

"ext-source": {"type": "string"}, 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 
"Description": { 
"type": "array", 


"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 

"Contact": { 
"type": "array", 
"items": {"Sref": "#/definitions/Contact"}, 
"minItems": 1), 

"DetectionPattern": 4 


"items" :{"$ref":"#/definitions/DetectionPattern"}, 
"minItems": 1}}, 

"required": [], 

"additionalProperties": false}, 
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"DetectionPattern": { 
"type": "object", 
"properties": 4 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Application": {"Sref": "#/definitions/SoftwareType"}, 
"Description": ( 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
"DetectionConfiguration": 4 
"type": "array", 
"items": ("type": "string"}, 
"minItems": 1}}, 
alone 
{"required": ["Application"]}, 
("oneof": [ 
("reguired":["Description"]), 
("required":["DetectionConfiguration"])])] 
"additionalProperties": false), 
"Method": ( 
"type": "object", 
"properties": ( 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"), 
"ext-restriction": {"type": "string"}, 


"Reference": { 
types: waktay, 
"items": {"Sref": "#/definitions/Reference"}, 
"minItems": 1), 
"Description": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"AttackPattern": { 
"type" :"array", 
"items" :{"Sref" :"#/definitions/STRUCTUREDINFO" }, 
"minItems": 1}, 
"Vulnerability": { 
"type" :"array", 
"items" :{"Sref" :"#/definitions/STRUCTUREDINFO" }, 
"minItems": 1}, 
"Weakness": { 
"type" :"array", 
"items" :{"Sref" :"#/definitions/STRUCTUREDINFO" }, 
"minItems": 1), 
"AdditionalData": 
"Šref":"4/definitions/ExtensionTypelist")), 
"required": [], 
"additionalProperties": false), 
"Reference": ( 
"type": "object', 
"properties": 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"ReferenceName" : 
"Sref":"#/definitions/ReferenceName"}, 
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RSS 
"type":"array", 
"items" :{"Sref":"#/definitions/URLtype"}, 
"minItems": 1}, 
"Description": ( 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": [], 
"additionalProperties": false}, 
"ReferenceName" : 4 
"type": "object", 
"properties": 4 

"specIndex": {"type": "number"}, 

"ID": {"$ref":"#/definitions/IDtype"}}, 
"required": ["specIndex", "ID"], 
"additionalProperties": false}, 

"Assessment": { 
"type": "object", 
"properties": { 


"occurrence": {"enum":["actual", "potential"]}, 

"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 

"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"IncidentCategory": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 


"Impact": ( 
"type": "array", 
"items": { 


"properties": { 
"SystemImpact" :{ 

"Sref":"#/definitions/SystemImpact"}, 
"BusinessImpact" : { 

"Sref" :"#/definitions/BusinessImpact"}, 
"TimeImpact":{"Sref":"#/definitions/TimeImpact"}, 
"MonetaryImpact" : { 

"Sref" :"#/definitions/MonetaryImpact"}, 
"IntendedImpact" : { 

"Sref":"#/definitions/BusinessImpact"}}, 

"additionalProperties":false), 
"minItems" : 1 


"Counter": ( 
"type": "array", 
"items": {"Sref": "#/definitions/Counter"}, 
"minItems": 1), 

"MitigatingFactor": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 

"Cause": { 

Sala vies 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 

"Confidence": {"Sref": "#/definitions/Confidence"}, 
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"AdditionalData": 4 
"$ref":"#/definitions/ExtensionTypelList"}}, 
"required": ["Impact"], 
"additionalProperties": false}, 
"SystemImpact": { 
"type": "object", 
"properties": 4 
"severity": ('enum":["low", "medium", "high"]}, 
"completion": {"enum":["failed", "succeeded"]}, 
LVDS 
enum":["takeover-account", "takeover-service", 
"takeover-system", "cps-manipulation", "cps-damage", 
"availability-data", "availability-account", 
"availability-service", "availability-system", 
"damaged-system", "damaged-data", 
"breach-proprietary", "breach-privacy", 
"breach-credential", "breach-configuration", 
"integrity-data", "integrity-configuration", 
"integrity-hardware", "traffic-redirection", 
"monitoring-traffic", "monitoring-host", 
"policy", "unknown", "ext-value"l), 
"ext-type": {"type": "string"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": ["type"], 
"additionalProperties": false), 
"BusinessImpact": 4 
"type": "object", 
"properties": 4 

"severity": ('enum":["none", "low", "medium", "high", 
"unknown", "ext-value"l, "default": "unknown"), 

"ext-severity": ("type':" string"), 

"type": {"enum":["breach-proprietary", 
"breach-privacy", "breach-credential", 
"loss-of-integrity", "loss-of-service", 
"theft-financial", "theft-service", 
"degraded-reputation", "asset-damage", 
"asset-manipulation", "legal", "extortion", 
"unknown", "ext-value"]), 

"ext-type": {"type": "string"}, 

"Description": { 

"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": ["type"], 
"additionalProperties": false}, 
"Timelmpact": { 
"type": "object", 
"properties": { 
"value": {"$ref": "#/definitions/PositiveFloatType"}, 


"severity": {"enum": ["low", "medium", "high"]}, 

"metric": ('enum": ["labor", "elapsed", "downtime", 
"ext-value"]), 

"ext-metric": {"type": "string"}, 

"duration": 


"Sref":"#/definitions/duration", "default": "hour"), 


Takahashi, et al. Standards Track Page 73 


RFC 8727 JSON-IODEF August 2020 


"ext-duration": {"type": "string"}}, 
"required": ["value", "metric"], 
"additionalProperties": false}, 

"MonetaryImpact": 4 
"type": "object", 
"properties": 4 

"value": {"Sref": "#/definitions/PositiveFloatType"}, 

"severity": ('enum":["low", "medium", "high"]}, 

"currency": {"type": "string" )), 

"required": ["value"], 
"additionalProperties": false), 
"Confidence": 4 
"type": "object", 
"properties": ( 
"value": {"type": "number"}, 
"rating": ('enum": ["low", "medium", "high", "numeric", 
"unknown", "ext-value"]), 

"ext-rating': {"type":"string"}}, 

"required": ["value", "rating"], 

"additionalProperties": false}, 
"History": { 

"type": "object", 

"properties": { 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"), 
"ext-restriction": {"type": "string"}, 


"HistoryItem": 4 
"type": "array", 
"items": {"Sref": "#/definitions/HistoryItem"}, 
"minItems": 1}}, 
"required": ["HistoryItem"], 
"additionalProperties": false}, 
"HistoryItem": 4 
"type": "object", 
"properties": { 


"action": 
"Sref": "#/definitions/action", "default": "other"}, 
"ext-action": {"type": "string"}, 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"DateTime": {"$ref": "#/definitions/DATETIME"}, 
"IncidentID": {"Sref": "#/definitions/IncidentID"}, 
"Contact": {"Sref": "#/definitions/Contact"}, 
"Description": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"DefinedCOA": ( 
"type": "array", 
"items": {"type": "string"}, 
"minItems": 1}, 
"AdditionalData": { 
"Šref":"4/definitions/ExtensionTypelist")), 
"required": ["DateTime", "action"], 
"additionalProperties": false}, 
"EventData": { 
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"type": "object", 
"properties": 4 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Description": {"type": "array", 

"items": ( "Sref":"#/definitions/MLStringType" }}, 
"DetectTime": {"Sref": "#/definitions/DATETIME"}, 
"StartTime": {"Sref": "#/definitions/DATETIME"}, 
"EndTime": {"Sref": "#/definitions/DATETIME"}, 
"RecoveryTime": ("Sref": "#/definitions/DATETIME"}, 
"ReportTime": {"Sref": "#/definitions/DATETIME"}, 
"Contact": { 

"type": "array", 

"items": {"Sref": "#/definitions/Contact"}, 

"minItems": 1}, 

"Discovery": { 
"array", 
items": {"Sref": "#/definitions/Discovery"}, 
"minItems": 1), 
"Assessment": {"Sref 
"Method": 4 
"type": "array", 
"items": {"Sref": "#/definitions/Method"}, 
"minItems": 1}, 
"System": { 
"type": "array", 
"items": {"Sref": "#/definitions/System"}, 
"minItems": 1}, 
"Expectation": { 
"array", 
items": {"Sref": "#/definitions/Expectation"}, 
"minItems": 1}, 
"RecordData": 4 
"array", 
"items": {"Sref": "#/definitions/RecordData"}, 
"minItems": 1), 
"EventData": 4 
"type": "array", 
"items": {"Sref": "#/definitions/EventData"}, 
"minItems": 1}, 
"AdditionalData": { 
"Šref":"4/definitions/ExtensionTypelist")), 
"required": (I, 
"additionalProperties": false), 
"Expectation": { 
"type": "object", 
"properties": 4 


"#/definitions/Assessment"}, 


“action”: 
"Sref":"#/definitions/action", "default": "other"), 
"ext-action": {"type": "string"}, 
"severity": {"enum": ["low", "medium", "high"]}, 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "default"}, 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Description": { 
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"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"DefinedCOA": ( 
"array", 
items": {"type": "string"}, 
"minItems": 1), 
"StartTime": {"Sref": "#/definitions/DATETIME"}, 
"EndTime": {"Sref": "#/definitions/DATETIME"}, 
"Contact": {"Sref": "#/definitions/Contact"}}, 
"required": [], 
"additionalProperties": false), 
"System": ( 
"type": "object", 
"properties": ( 
"category": ( 
enum": ["source", "target", "intermediate", "sensor", 
"infrastructure", "ext-value"]), 
"ext-category": {"type": "string"}, 
"interface": ("type": "string"}, 


"spoofed": 4 
"enum": ["unknown", "yes", "no"], "default" :"unknown"}, 
virtuals { 
"enum": ["yes", "no", "unknown"], "default" :"unknown"}, 
"ownership": 4 
"enum" :["organization", "personal", "partner", 
"customer", "no-relationship", "unknown", 
"ext-value"]), 
"ext-ownership": {"type": "string"}, 
"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Node": {"Sref": "#/definitions/Node"}, 
"NodeRole": 4 
"type": "array", 
"items": {"Sref": "#/definitions/NodeRole"}, 
"minItems": 1), 
"Service": { 
"type": "array", 
"items": {"Sref": "#/definitions/Service"}, 
"minItems": 1}, 
"OperatingSystem": { 
"array", 
items": {"Sref": "#/definitions/SoftwareType"}, 
"minItems": 1), 
"Counter": { 
"type": "array", 


"items": {"Sref": "#/definitions/Counter"}, 
"minItems": 1), 
"AssetID": { 


"type": "array", 
"items": {"type": "string"}, 
"minItems": 1), 
"Description": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
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"AdditionalData": 4 
"Sref" :"#/definitions/ExtensionTypeList"}}, 
"required": ["Node"], 
"additionalProperties": false}, 
"Node": { 

"type": "object", 
"properties": { 

"DomainData": 4 


type "array", 
"items": {"Sref": "#/definitions/DomainData"}, 
"minItems": 1}, 

"Address": { 


"type": "array", 
"items": {"Sref": "#/definitions/Address"}, 
"minItems": 1), 
"PostalAddress": 4 
"Sref": "#/definitions/PostalAddress"}, 
"Location": { 
"array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"Counter": { 
"type" :"array", 
"items" :{"Sref" :"#/definitions/Counter"}, 
"minItems": 1}}, 
"anyof": [ 
{"required": ["DomainData"]}, 
{"required": ["Address"]} 


"additionalProperties": false}, 
"Address": { 
"type": "object", 
"properties": { 
"value": {"type": "string"}, 
"category": { 


"enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net", 
"ipv4-net-masked", "ipv4-net-mask", "ipv6-addr", 
"ipv6-net", "ipv6-net-masked", "mac", "site-uri", 


"ext-value"], "default": "ipv6-addr"), 
"ext-category": {"type": "string"}, 


"vlan-name": {"type": "string"}, 

"vlan-num": {"type": "number"}, 

"observable-id": {"Sref": "#/definitions/IDtype"}}, 
"required": ["value", "category"], 
"additionalProperties": false}, 

"NodeRole": { 


"type": "object", 
"properties": { 
"category": { 


"enum":l"client", "client-enterprise", 
"client-partner", "client-remote", "client-kiosk", 
"client-mobile", "server-internal", "server-public", 
"www", "mail", "webmail", "messaging", "streaming", 
"voice", "file", "ftp", "p2p", "name", "directory", 
"credential", "print", "application", "database", 
"backup", "dhcp", "assessment", "source-control", 
"config-management", "monitoring", "infra", 
"infra-firewall", "infra-router", "infra-switch", 
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"camera", "proxy", "remote-access", "log", 
"virtualization", "pos", "scada", 
"scada-supervisory", "sinkhole", "honeypot", 
"anomyzation", "c2-server", "malware-distribution", 
"drop-server", "hop-point", "reflector", 
"phishing-site", "spear-phishing-site", 
"recruiting-site", "fraudulent-site", 


"ext-value"]}, 
"ext-category": {"type": "string"}, 
"Description": { 
"array", 
items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": ["category"], 
"additionalProperties": false}, 
"Counter": { 
"type": "object", 
"properties": 4 


"value": {"type": "number"}, 
type Et 
"enum": ["count", "peak", "average", "ext-value"]}, 
"ext-type": {"type": "string"}, 
"unit":('enum":["byte", "mbit", "packet", "flow", 
"session", "alert", "message", "event", "host", 
"site", "organization", "ext-value"]), 
"ext-unit": {"type": "string"}, 
"meaning": {"type": "string"}, 
"duration": 4 
"Sref":"#/definitions/duration", "default": "hour"), 
"ext-duration": {"type": "string"}}, 
"required": ["value", "type", "unit"], 


"additionalProperties": false}, 
"DomainData": { 
"type": "object", 
"properties": 4 
"system-status": { 


"enum": l'spoofed", "fraudulent", "innocent-hacked", 
"innocent-hijacked", "unknown", "ext-value"]}, 
"ext-system-status": {"type": "string"}, 
"domain-status": { 
"enum": [ "reservedDelegation", "assignedAndActive", 
"assignedAndInactive", "assignedAndOnHold", 
"revoked", "transferPending", 
"registryLock", "registrarLock", 
"other", "unknown", "ext-value"]), 
"ext-domain-status": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Name": {"type": "string"}, 
"DateDomainWasChecked": { 

"Sref": "#/definitions/DATETIME"}, 
"RegistrationDate": { 

"Sref": "#/definitions/DATETIME"}, 
"ExpirationDate": {"Sref": "#/definitions/DATETIME"}, 
"RelatedDNS": { 

"type": "array", 

"items": {"Sref": "#/definitions/ExtensionType"}, 

"minItems": 1), 

"NameServers": { 
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"type": "array", 

"items": {"Sref": "#/definitions/NameServers"}, 

"minItems": 1), 

"DomainContacts": { 

"$ref": "#/definitions/DomainContacts"}}, 
"required": ["Name", "system-status", "domain-status"], 
"additionalProperties": false}, 

"NameServers": { 
"object", 
"properties": { 
"Server": ("type": "string"}, 
"Address": ( 

"type":"array", 

"items" :{"Sref":"#/definitions/Address"}, 

"minItems": 1}}, 

"required": ["Server", "Address"], 
"additionalProperties": false}, 
"DomainContacts": { 
"type": "object", 
"properties": { 
"SameDomainContact": {"type": "string"}, 
"Contact": { 

"type" :"array", 

"items" :{"Sref" :"#/definitions/Contact"}, 

"minItems": 1}}, 

"oneOf": [ 
{"required": ["SameDomainContact"]}, 
{"required": ["Contact"]}], 

"additionalProperties": false}, 

"Service": { 

"type": "object", 

"properties": { 
"ip-protocol": {"type": "number"}, 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"ServiceName": {"Sref": "#/definitions/ServiceName"}, 
"Port": {"type": "number"}, 
"Portlist": ("Sref": "#/definitions/PortlistType"}, 
"ProtoCode": {"type": "number"}, 
"ProtoType": {"type": "number"}, 
"ProtoField": {"type": "number"}, 
"ApplicationHeaderField":{ 

"Sref" :"#/definitions/ExtensionTypeList"}, 
"EmailData": {"Sref": "#/definitions/EmailData"}, 
"Application": 

"Sref": "#/definitions/SoftwareType"}}, 

"required": [], 
"additionalProperties": false}, 
"ServiceName": { 
"type": "object", 
"properties": { 
"IANAService": {"type": "string"}, 
OR IE at 
"type": "array", "items": 4 
"Sref": "#/definitions/URLtype"}}, 
"Description": 4 
"array", 
items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 13), 
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"required": (I, 
"additionalProperties": false), 
"EmailData": { 
"type": "object", 
"properties": 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"EmailTo": 4 
"type": "array", 
"items": {"type": "string"}, 
"minItems": 1}, 
"EmailFrom": {"type": "string"}, 
"EmailSubject": {"type": "string"}, 
"EmailX-Mailer": {"type": "string"}, 
"EmailHeaderField": { 
"type": "array", 
"items": {"Sref": "#/definitions/ExtensionType"}, 
"minItems": 1}, 
"EmailHeaders": {"type": "string"}, 
"EmailBody": {"type": "string"}, 
"EmailMessage": {"type": "string"}, 
"HashData": 4 
"type": "array", 
"items": {"Sref": "#/definitions/HashData"}, 
"minItems": 1}, 
"Signature": { 
"type": "array", 
"items": {"Sref": "#/definitions/BYTE"}, 
"minItems": 1}}, 
"required": [], 
"additionalProperties": false}, 
"RecordData": { 
"type": "object", 
"properties": { 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"observable-id": {"Sref": "#/definitions/IDtype"}, 
"DateTime": {"$ref": "#/definitions/DATETIME"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}, 
"Application": {"Sref": "#/definitions/SoftwareType"}, 
"RecordPattern": { 
"type": "array", 
"items": {"Sref": "#/definitions/RecordPattern"}, 
"minItems": 1), 
"RecordItem": { 
"type": "array", 
"items": {"Sref": "#/definitions/ExtensionType"}, 
"minItems": 1), 
"URL": { 
"type": "array", 
"items": {"Sref": "#/definitions/URLtype"}, 
"minItems": 1), 
"FileData": { 
"array", 
"items": {"Sref": "#/definitions/FileData"}, 
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"minItems": 1), 
"WindowsRegistryKeysModified": ( 
"type": "array", 
"items": 
"$ref":"#/definitions/WindowsRegistryKeysModified"}, 
"minItems": 1}, 
"CertificateData": { 
"type" :"array", 
"items" :{"Sref":"#/definitions/CertificateData"}, 
"minItems": 1), 
"AdditionalData": 4 
"Šref":"4/definitions/ExtensionTypelist")), 
"required": (I, 
"additionalProperties": false), 
"RecordPattern": 4 
"type": "object", 
"properties": 4 
"value": {"type": "string"}, 
TA er 
enum": ["regex", "binary", "xpath", "ext-value"], 
"default": "regex"}, 
"ext-type": {"type": "string"}, 
"offset": ("type": "number"}, 
"offsetunit": {"enum":["line", "byte", "ext-value"l , 
"default": "line"}, 
"ext-offsetunit": {"type": "string"}, 
"instance": {"type": "number"}}, 
"required": ["value", "type"], 
"additionalProperties": false}, 
"WindowsRegistryKeysModified": { 
"type": "object", 


"properties": 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Key": { 
"type" "array" 


"items": {"Sref": "#/definitions/Key"}, 
"minItems": 1}}, 
"required": ["Key"], 
"additionalProperties": false}, 
"Rey": < 
"type": "object", 
"properties": 4 
"registryaction": {"enum": ["add-key", "add-value", 
"delete-hey", "delete-value", 
"modify-key", "modify-value", 
"ext-value"]), 
"ext-registryaction": {"type": "string"}, 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"KeyName": {"type":"string"}, 
"ReyValue": {"type": "string"}}, 
"required": ["KeyName"], 
"additionalProperties": false}, 
"CertificateData": { 
"type": "object", 
"properties": { 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 
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"observable-id": {"Sref": "#/definitions/IDtype"}, 
"Certificate": { 
"type": "array", 
"items": {"Sref": "#/definitions/Certificate"}, 
"minItems": 1}}, 
"required": ["Certificate"], 
"additionalProperties": false}, 
"Certificate": { 
"object", 
"properties": 4 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"X509Data": {"Sref": "#/definitions/BYTE"}, 
"Description": { 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1}}, 
"required": l'X589Data"l, 
"additionalProperties": false}, 
"FileData": { 
"type": "object", 
"properties": { 


"restriction": {"Sref": "#/definitions/restriction"}, 
"ext-restriction": {"type": "string"}, 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
ETTE ue 


"type": "array", 
"items": {"Sref": "#/definitions/File"}, 
"minItems": 1}}, 
"required": ["File"], 
"additionalProperties": false}, 
REC ST 
"type": "object", 
"properties": ( 
"observable-id": {"Sref": "#/definitions/IDtype"}, 
"FileName": {"type": "string"}, 
"FileSize": {"type": "number"}, 
"FileType": {"type": "string"}, 
"URLA A 
"type": "array", 
"items": {"$ref": "#/definitions/URLtype"}, 
"minItems": 1y, 
"HashData": {"$ref": "#/definitions/HashData"}, 
"Signature": { 
"array", 
"items": {"Sref": "#/definitions/BYTE"}, 
"minItems": 1}, 
"AssociatedSoftware": { 
"Sref": "#/definitions/SoftwareType"}, 
"FileProperties": 4 
"type":"array", 
"items" :{"Sref":"#/definitions/ExtensionType"}, 
"minItems": 1}}, 
"required": [], 
"additionalProperties": false}, 
"HashData": { 
"type": "object", 
"properties": { 
"scope": ('enum": ["file-contents", "file-pe-section", 
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"file-pe-iat", "file-pe-resource", "file-pdf-object", 
"email-hash", "email-headers-hash", "email-body-hash", 
"ext-value"]), 
"HashTargetID": {"type": "string"}, 
"Hash": { 
"type": "array", 
"items": {"Sref": "#/definitions/Hash"}, 
"minItems": 1), 
"FuzzyHash": 4 
"array", 
items": {"Sref": "#/definitions/FuzzyHash"}, 
"minItems": 1}}, 
"required": ["scope"], 
"additionalProperties": false}, 
"Hash": { 
"type": "object", 
"properties": { 
"DigestMethod": {"Sref": "#/definitions/BYTE"}, 
"DigestValue": {"Sref": "#/definitions/BYTE"}, 
"CanonicalizationMethod": 4 
"Sref": "#/definitions/BYTE"}, 
"Application": { 

"Sref": "#/definitions/SoftwareType"}}, 
"required": ["DigestMethod", "DigestValue"], 
"additionalProperties": false}, 

"FuzzyHash": { 
"type": "object", 
"properties": { 
"FuzzyHashValue": 4 

"type": "array", 

"items": {"Sref": "#/definitions/ExtensionType"}, 

"minItems": 1}, 

"Application": {"Sref": "#/definitions/SoftwareType"}, 
"AdditionalData": 4 

"S$ref" :"st/definitions/ExtensionTypelist")), 
"required": ["FuzzyHashValue"], 
"additionalProperties": false), 

"Indicator": ( 
"type": "object", 
"properties": ( 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private", 
"ext-restriction": {"type": "string"}, 


"IndicatorID": {"Sref": "#/definitions/IndicatorID"}, 
"AlternativeIndicatorID': 4 

"type": "array", 

"items": 

"Sref": "#/definitions/AlternativeIndicatorID"}, 

"minItems": 1), 
"Description": { 

"type": "array", 

"items": {"Sref": "#/definitions/MLStringType"}, 

"minItems": 1}, 
"StartTime": {"Sref": "#/definitions/DATETIME"}, 
"EndTime": {"Sref": "#/definitions/DATETIME"}, 
"Confidence": {"Sref": "#/definitions/Confidence"}, 
"Contact": { 

"type": "array", 
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"items": {"Sref": "#/definitions/Contact"}, 
"minItems": 1), 
"Observable": {"Sref": "#/definitions/Observable"}, 
"uid-ref": {"Sref": "#/definitions/IDREFType"}, 
"IndicatorExpression":{ 
"ref" :"#/definitions/IndicatorExpression"}, 
"IndicatorReference" : { 


"Sref": "#/definitions/IndicatorReference"}, 
"NodeRole": { 
"type": "array", 


"items": {"Sref": "#/definitions/NodeRole"}, 
"minItems": 1), 


"AttackPhase": { 
"type": "array", 
"items": {"Sref": "#/definitions/AttackPhase"}, 
"minItems": 1}, 

"Reference": { 


items": {"Sref": "#/definitions/Reference"}, 
"minItems": 1), 


"AdditionalData": 4 
"Sref" :"st/definitions/ExtensionTypelist")), 
"allOf": 
{"required": ["IndicatorID"]}, 
("oneof": [ 
("required":["Observable"]), 
("required":["uid-ref"]), 
{"required" :["IndicatorExpression"]}, 
{"required" :["IndicatorReference"]}]}], 
"additionalProperties": false}, 
"IndicatorID": { 
"type": "object", 
"properties": 4 

aka EV DE SET (na) 

"name": ("type": "string"}, 

"version": {"type": "string"}}, 
"required": ["id", "name", "version"], 
"additionalProperties": false}, 

"AlternativeIndicatorID': 4 
"type": "object", 
"properties": 4 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 


"IndicatorID": { 
"type": "array", 
"items": {"Sref": "#/definitions/IndicatorID"}, 
"minItems": 1}}, 
"required": ["IndicatorID"], 
"additionalProperties": false}, 
"Observable": { 
"type": "object", 
"properties": { 


"restriction": {"Sref": "#/definitions/restriction", 
"default": "private"}, 
"ext-restriction": {"type": "string"}, 


"System": {"Sref": "#/definitions/System"}, 
"Address": {"Sref": "#/definitions/Address"}, 


Takahashi, et al. Standards Track Page 84 


RFC 8727 


Takahashi, et al. 


JSON-IODEF August 2020 
"DomainData": {"Sref": "#/definitions/DomainData"}, 
"EmailData": {"Sref": "#/definitions/EmailData"}, 
"Service": {"Sref": "#/definitions/Service"}, 


"WindowsRegistryKeysModified": 4 

"Sref": "#/definitions/WindowsRegistryKeysModified"}, 
"FileData": {"Sref": "#/definitions/FileData"}, 
"CertificateData": { 

"Sref": "#/definitions/CertificateData"}, 
"RegistryHandle": 4 

"Šref": "#/definitions/RegistryHandle"}, 
"RecordData": {"Sref": "#/definitions/RecordData"}, 
"EventData": {"Sref": "#/definitions/EventData"}, 
"Incident": {"Sref": "#/definitions/Incident"}, 


"Expectation": {"Sref": "#/definitions/Expectation"}, 
"Reference": {"Sref": "#/definitions/Reference"}, 
"Assessment": {"Sref": "#/definitions/Assessment"}, 


"DetectionPattern": { 

"Sref": "#/definitions/DetectionPattern"}, 
"HistoryItem": {"Sref": "#/definitions/HistoryItem"}, 
"BulkObservable": 

"Sref": "#/definitions/BulkObservable"}, 
"AdditionalData": { 

"Šref":"4/definitions/ExtensionTypelist")), 
"oneOf": | 


{"required": 


"System" ]}, 


[ 
{"required":[ "Address" ]}, 
{"required" :["DomainData" ]}, 
{"required" :["EmailData"]}, 
{"required":[ "Service" ]}, 
{"required" :[ "WindowsRegistryKeysModified"]} 
{"required":["FileData"]}, 
{"required":["CertificateData"]}, 
{"required" :["RegistryHandle"]}, 
{"required":["RecordData"]}, 
{"required":["EventData"]}, 
("required":["Incident"]), 
("required":["Expectation"]), 
{"required":["Reference"]}, 
{" required" :[ "Assessment" ]}, 
{"required" :["DetectionPattern"]}, 
{"required" :["HistoryItem"]}, 


{"required": 

{"required": 
"additionalProperties": 

"BulkObservable": 4 
"type": "object", 
"properties": 4 


"domain-to-ipv4", 


["BulkObservable"]), 
["AdditionalData"])], 
false), 


"type": ('enum": l'asn", "atm", "e-mail", "ipv4-addr", 
"ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net", 
"ipv6-net-mask", "mac", "site-uri", "domain-name", 


"domain-to-ipv6", 


"domain-to-ipv4-timestamp", 


"domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port", 
"windows-reg-key", "file-hash", "email-x-mailer", 
"email-subject", "http-user-agent", 
"http-request-url", "mutex", "file-path", "user-name", 


"ext-value"]), 


"ext-type": {"type": "string"}, 
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"BulkObservableFormat":{ 

"Sref": "#/definitions/BulkObservableFormat"}, 
"BulkObservablelist": {"type": "string"}, 
"AdditionalData": 4 

"Sref" :"#/definitions/ExtensionTypeList"}}, 

"required": ["BulkObservableList" ], 
"additionalProperties": false}, 
"BulkObservableFormat": < 
"type": "object", 
"properties": 
"Hash": {"Sref": "#/definitions/Hash"}, 
"AdditionalData": 4 
"Šref":"4/definitions/ExtensionTypelist")), 
"oneOf": [ 
{"required": ["Hash"]}, 
{"required": ["AdditionalData"]} 


"additionalProperties": false}, 
"IndicatorExpression": 
"type": "object", 
"properties": 4 
"operator": 4 
"enum": ["not", "and", "or", "xor"], "default": "and"}, 
"ext-operator": {"type": "string"}, 
"IndicatorExpression": 4 
"type": "array", 
"items": 
"Sref": "#/definitions/IndicatorExpression"}, 
"minItems": 1}, 
"Observable": 4 
"array", 
"items": {"Sref": "#/definitions/Observable"}, 
"minItems": 1), 
"uid-ref": { 
"type": "array", 
"items": {"Sref": "#/definitions/IDREFType"}, 
"minItems": 1}, 
"IndicatorReference": { 
"type": "array", 
"items": 
"Sref": "#/definitions/IndicatorReference"}, 
"minItems": 1), 
"Confidence": {"Sref":"#/definitions/Confidence"}, 
"AdditionalData": { 
"Sref" :"#/definitions/ExtensionTypeList"}}, 
"required": [], 
"additionalProperties": false}, 
"IndicatorReference": { 
"type": "object", 
"properties": { 
"uid-ref": {"Sref":"#/definitions/IDREFType"}, 
"euid-ref": {"type": "string"}, 
"version": {"type": "string"}} 
"oneOf": [ 
{"required": ["uid-ref"]}, 
{"required": ["euid-ref"]} 
] 


additionalProperties": false}, 
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"AttackPhase": 4 
"type": "object", 
"properties": 4 

"AttackPhaseID": 4 


"items ("type "string"}, 
"minItems": 1), 
MURI t 


"type": "array", 
"items": {"Sref": "#/definitions/URLtype"}, 
"minItems": 1), 
"Description": ( 
"type": "array", 
"items": {"Sref": "#/definitions/MLStringType"}, 
"minItems": 1), 
"AdditionalData": 4 
"Sref" :"st/definitions/ExtensionTypelist")), 
"required": [], 
"additionalProperties": false}}, 
"title": "IODEF-Document", 
"description": "JSON schema for IODEF-Document class", 
"type": "object", 
"properties": ( 
"version": ("type": "string"}, 
"lang": {"$ref": "#/definitions/lang"}, 
"format-id': {"type": "string"}, 
"private-enum-name": {"type": "string"}, 
"private-enum-id": {"type": "string"}, 
"Incident": ( 
"type": "array", 
"items": {"Sref": "#/definitions/Incident"}, 
"minItems": 1), 
"AdditionalData": { 
"Šref":"4/definitions/ExtensionTypelist")), 
"required": ["version", "Incident"], 
"additionalProperties": false) 


Figure 6: JSON Schema 
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